httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <>
Subject Re: [users@httpd] Setting the Timeout directive to refrain a DoS attacks
Date Thu, 25 Jun 2009 16:59:18 GMT
Tom Evans wrote:
> It is a bit like an arms race - I guess a solution could be to use a
> dedicated thread for reading in POST bodies. 

This is why IIS appears to the author that is invulnerable; IIS does fill
an initial buffer, at least 64k worth.  Exhaust that buffer and it should
cripple IIS just fine.

Because ultimately, you are not going to 'read POST bodies' as a specific
functional step.  They are of arbitrary length.  I can POST an entire .iso
dvd image.  If not consumed while read, this operational step would be
a joke, and you have a whole new DoS vector.

If Apache 3.0 event MPM becomes free-threaded, this situation goes away;
while waiting for more POST content, the request handler and modules would
not occupy a thread at all.  Look forward to the dire warnings of the evils
of threading, all over again, as third party modules are discovered to be
buggy, and are slowly fixed or forgotten.

> The best way to stop slowloris is to not allow a single user to cripple
> your server in this way, by restricting the number of connections a
> single IP can have to your servers. That of course, only leads to it
> becoming a DDoS rather than a DoS.


The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message