From users-return-89145-apmail-httpd-users-archive=httpd.apache.org@httpd.apache.org Thu Jun 25 08:02:03 2009 Return-Path: Delivered-To: apmail-httpd-users-archive@www.apache.org Received: (qmail 76868 invoked from network); 25 Jun 2009 08:02:01 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 25 Jun 2009 08:02:01 -0000 Received: (qmail 85069 invoked by uid 500); 25 Jun 2009 08:02:09 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 85030 invoked by uid 500); 25 Jun 2009 08:02:09 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 85021 invoked by uid 99); 25 Jun 2009 08:02:09 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 25 Jun 2009 08:02:09 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of aw@ice-sa.com designates 212.85.38.228 as permitted sender) Received: from [212.85.38.228] (HELO tor.combios.es) (212.85.38.228) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 25 Jun 2009 08:01:59 +0000 Received: from localhost (localhost [127.0.0.1]) by tor.combios.es (Postfix) with ESMTP id 25ADC2260B2 for ; Thu, 25 Jun 2009 09:58:10 +0200 (CEST) Received: from tor.combios.es ([127.0.0.1]) by localhost (tor.combios.es [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yQ5LqqZtBuJN for ; Thu, 25 Jun 2009 09:58:10 +0200 (CEST) Received: from [192.168.245.129] (p549EA920.dip0.t-ipconnect.de [84.158.169.32]) by tor.combios.es (Postfix) with ESMTPA id CFE3C2260AE for ; Thu, 25 Jun 2009 09:58:09 +0200 (CEST) Message-ID: <4A432EDD.3080206@ice-sa.com> Date: Thu, 25 Jun 2009 10:01:33 +0200 From: =?ISO-8859-1?Q?Andr=E9_Warnier?= Reply-To: aw@ice-sa.com User-Agent: Thunderbird 2.0.0.16 (Windows/20080708) MIME-Version: 1.0 To: users@httpd.apache.org References: <24194473.post@talk.nabble.com> In-Reply-To: <24194473.post@talk.nabble.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org Subject: Re: [users@httpd] Setting the Timeout directive to refrain a DoS attacks fredk2 wrote: > Hi, > > http://httpd.apache.org/docs/2.2/mod/core.html#timeout says: > > The TimeOut directive currently defines the amount of time Apache will wait > for three things > 1. The total amount of time it takes to receive a GET request > ... > > 1. seems to be misleading, tests with "Timeout 3" does not appear very > effective. > For example: > GET / HTTP/1.1 > Host: foo > > X-a: b > > ... > > Such requests are not rejected after 3 seconds as expected. > Are we missing in Apache a timer for the header to complete ~ HeaderTimeout > 1? > What you are describing above is exactly the way a "slowloris" Denial-Of-Service attack works. On the majority of webservers, each such client locks up one child or thread of the webserver, for as long as it takes to complete the request. It is quite difficult to fight this, because how do you then distinguish a legitimate client that happens to have a slow internet connection ? The item #1 above, is relative to the time between - the initial establishment of the TCP connection to Apache - and the arrival of the first byte of the HTTP request itself (the G of GET) That is to avoid another type of DOS attack. But how would Apache know in advance how many headers there are, or what is "reasonable" as a time before a whole POST request is in ? --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See for more info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org " from the digest: users-digest-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org