On Nov 18, 2007 10:32 AM, Joshua Slive <joshua@xxxxxxxx> wrote: > On Nov 18, 2007 10:28 AM, Ben Macintosh <bmac.list@xxxxxxxxx> wrote: > > Hi > > I'm currently facing a problem which I can't find any help for. > > Every once in a while, my webserver doesn't respond to requests > > anymore, i.e. the browser simply keeps on loading but doesn't get any > > data. > > > > Using the status mod I found that in such a situation every possible > > "slot" is being used by requests staying in "..reading.." status. > > After restarting apache all the pending requests get processed but > > after a few seconds all the slots are being blocked by the > > "..reading.." status again. > > > > After some tests I could reproduce the situation with simply > > initiating multiple telnet session to the webserver without sending > > any data. Every such request blocks a slot for the default timeout of > > 300 seconds. > > > > Is this common behaviour? If so, how to prevent it? > > As I understand the issue it's a very simple DoS as it neither does > > require a lot of cpu nor bandwidth on the client side. > > See: > http://httpd.apache.org/docs/trunk/misc/security_tips.html#dos > > The standard solution is a simple firewall rule to control number of > connections per ip at some reasonable level. > > Joshua. I like the firewall approach myself, as it seems likely that anyone with malicious intent (as distinct from the uninformed download accelerator user, etc) should forfeit their rights to your bandwidth regardless of protocol. But for a purely apache solution, have a look at mod_access ( http://httpd.apache.org/docs/2.0/mod/mod_access.html ). -G --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx