2007/11/19, Nick Kew <nick@xxxxxxxxxxxx>: > On Mon, 19 Nov 2007 20:19:20 +0100 > "Ben Macintosh" <bmac.list@xxxxxxxxx> wrote: > > I already thought about using a firewall rule. Although it could be > > quite difficult to get it right. As every malicious request blocks a > > slot for 5 minutes there hasn't got to be a lot of traffic/requests. > > 5 minutes??? Where does that come from? That's the default timeout that a http child waits for, before closing the connection. > Maybe you might want to use AcceptFilter to prevent malicious requests > tying anything up for more than a couple of microseconds? That's it! And since AcceptFilter is only available on Apache > 2.1.5 that's also the reason why it didn't work with Debian Sarge (Apache 2.0.54) but was working as intended ootb in Debian Etch (Apache 2.2.3). If "AcceptFilter http none" is set, both versions behave exactly in the same (bad) way, but when "AcceptFilter http httpready" is set, it's working again. Thanks for pointing me to the right direction - never heard about AcceptFilter before. Ben --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|