httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: [users@httpd] Setting the Timeout directive to refrain a DoS attacks
Date Thu, 25 Jun 2009 08:01:33 GMT
fredk2 wrote:
> Hi,
> 
> http://httpd.apache.org/docs/2.2/mod/core.html#timeout says:
> 
> The TimeOut directive currently defines the amount of time Apache will wait
> for three things
> 1. The total amount of time it takes to receive a GET request
> ...
> 
> 1. seems to be misleading, tests with "Timeout 3" does not appear very
> effective.
> For example:
> GET / HTTP/1.1
> Host: foo
> <sleep 2s>
> X-a: b
> <sleep 2s>
> ...
> 
> Such requests are not rejected after 3 seconds as expected.
> Are we missing in Apache a timer for the header to complete ~ HeaderTimeout
> 1?
> 
What you are describing above is exactly the way a "slowloris" 
Denial-Of-Service attack works.
On the majority of webservers, each such client locks up one child or 
thread of the webserver, for as long as it takes to complete the request.
It is quite difficult to fight this, because how do you then distinguish 
a legitimate client that happens to have a slow internet connection ?

The item #1 above, is relative to the time between
- the initial establishment of the TCP connection to Apache
- and the arrival of the first byte of the HTTP request itself
(the G of GET)
That is to avoid another type of DOS attack.
But how would Apache know in advance how many headers there are, or what 
is "reasonable" as a time before a whole POST request is in ?


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message