httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: [users@httpd] Setting the Timeout directive to refrain a DoS attacks
Date Thu, 25 Jun 2009 13:19:20 GMT
fredk2 wrote:
> Would'nt you think that a (simple) timer for the header could fend off some
> of the effect.  Can't we assume that if it takes more than 3 second to enter
> the header we do not want that client (i'll have to learn to type faster in
> telnet :-).
> 

For the headers, I think it might help.
But I'm sure that then the attack would switch to sending the headers 
fast, and then a long POST body, veeeeery slowly...

On another track, it seems that the "Event MPM" model of Apache also is 
relatively insensitive to the slowloris thing.


> Thanks - Fred
> 
> 
> awarnier wrote:
>> fredk2 wrote:
>>> Hi,
>>>
>>> http://httpd.apache.org/docs/2.2/mod/core.html#timeout says:
>>>
>>> The TimeOut directive currently defines the amount of time Apache will
>>> wait
>>> for three things
>>> 1. The total amount of time it takes to receive a GET request
>>> ...
>>>
>>> 1. seems to be misleading, tests with "Timeout 3" does not appear very
>>> effective.
>>> For example:
>>> GET / HTTP/1.1
>>> Host: foo
>>> <sleep 2s>
>>> X-a: b
>>> <sleep 2s>
>>> ...
>>>
>>> Such requests are not rejected after 3 seconds as expected.
>>> Are we missing in Apache a timer for the header to complete ~
>>> HeaderTimeout
>>> 1?
>>>
>> What you are describing above is exactly the way a "slowloris" 
>> Denial-Of-Service attack works.
>> On the majority of webservers, each such client locks up one child or 
>> thread of the webserver, for as long as it takes to complete the request.
>> It is quite difficult to fight this, because how do you then distinguish 
>> a legitimate client that happens to have a slow internet connection ?
>>
>> The item #1 above, is relative to the time between
>> - the initial establishment of the TCP connection to Apache
>> - and the arrival of the first byte of the HTTP request itself
>> (the G of GET)
>> That is to avoid another type of DOS attack.
>> But how would Apache know in advance how many headers there are, or what 
>> is "reasonable" as a time before a whole POST request is in ?
>>
>>
>> ---------------------------------------------------------------------
>> The official User-To-User support forum of the Apache HTTP Server Project.
>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>>
> 


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message