httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Guillaume Bilodeau <guillaume.bilod...@gmail.com>
Subject [users@httpd] Re: mod_reqtimeout not returning 408
Date Fri, 15 Apr 2011 13:46:41 GMT
A little more information on the 200 return code:

It seems that mod_reqtimeout is not closing the connection after the 20
seconds, but rather truncating the request and letting it go through.  So
the request is actually processed, and since the URL is referring to an
actual resource, a 200 code is returned.

Surely there must be a configuration mistake somewhere?

Cheers,
GB

On Fri, Apr 15, 2011 at 8:48 AM, Guillaume Bilodeau <
guillaume.bilodeau@gmail.com> wrote:

> Hi all,
>
> In order to protect ourselves from a slowloris-type attack, we have
> configured the mod_reqtimeout module on our Apache 2.2.17 installation
> (running on Solaris, MPM compiled).  The mod_reqtimeout is configured as
> follows:
>
> RequestReadTimeout header=10-20,MinRate=500 body=10-20,MinRate=500
>
> We are testing using the OWASP http_dos_cli tool and are still able to make
> the site unreachable in a couple of seconds.  In the logs we do see that
> requests are being timed out and the connections closed at the correct
> moment, but the client is receiving a 200 status code instead of a 408.
>  This difference keeps our mod_security rule set to gather timeout
> statistics and block further requests from this IP.
>
> Any idea on why mod_reqtimeout is returning 200 and not 408?
>
> The original discussion on the owasp-modsecurity-core-rule-set mailing
> list:
> https://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/2011-April/000722.html
>
> Thanks a bunch!
> GB
>
>

Mime
View raw message