httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Guillaume Bilodeau <guillaume.bilod...@gmail.com>
Subject [users@httpd] Re: mod_reqtimeout not returning 408
Date Mon, 02 May 2011 13:18:00 GMT
Hi all,

I have opened a bug report and received confirmation that issues in HTTPD
Core are causing the following problems:

- Apache doesn't always return a 408 when a request time out is detected
(various cases)
- Apache doesn't handle a request time out properly when the URL corresponds
to a RedirectMatch directive

More details here: https://issues.apache.org/bugzilla/show_bug.cgi?id=51103

Hope that helps someone eventually.

Cheers,
GB

On Fri, Apr 15, 2011 at 9:46 AM, Guillaume Bilodeau <
guillaume.bilodeau@gmail.com> wrote:

> A little more information on the 200 return code:
>
> It seems that mod_reqtimeout is not closing the connection after the 20
> seconds, but rather truncating the request and letting it go through.  So
> the request is actually processed, and since the URL is referring to an
> actual resource, a 200 code is returned.
>
> Surely there must be a configuration mistake somewhere?
>
> Cheers,
> GB
>
> On Fri, Apr 15, 2011 at 8:48 AM, Guillaume Bilodeau <
> guillaume.bilodeau@gmail.com> wrote:
>
>> Hi all,
>>
>> In order to protect ourselves from a slowloris-type attack, we have
>> configured the mod_reqtimeout module on our Apache 2.2.17 installation
>> (running on Solaris, MPM compiled).  The mod_reqtimeout is configured as
>> follows:
>>
>> RequestReadTimeout header=10-20,MinRate=500 body=10-20,MinRate=500
>>
>> We are testing using the OWASP http_dos_cli tool and are still able to
>> make the site unreachable in a couple of seconds.  In the logs we do see
>> that requests are being timed out and the connections closed at the correct
>> moment, but the client is receiving a 200 status code instead of a 408.
>>  This difference keeps our mod_security rule set to gather timeout
>> statistics and block further requests from this IP.
>>
>> Any idea on why mod_reqtimeout is returning 200 and not 408?
>>
>> The original discussion on the owasp-modsecurity-core-rule-set mailing
>> list:
>> https://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/2011-April/000722.html
>>
>> Thanks a bunch!
>> GB
>>
>>
>

Mime
View raw message