Would'nt you think that a (simple) timer for the header could fend off some of the effect. Can't we assume that if it takes more than 3 second to enter the header we do not want that client (i'll have to learn to type faster in telnet :-). Thanks - Fred awarnier wrote: > > fredk2 wrote: >> Hi, >> >> http://httpd.apache.org/docs/2.2/mod/core.html#timeout says: >> >> The TimeOut directive currently defines the amount of time Apache will >> wait >> for three things >> 1. The total amount of time it takes to receive a GET request >> ... >> >> 1. seems to be misleading, tests with "Timeout 3" does not appear very >> effective. >> For example: >> GET / HTTP/1.1 >> Host: foo >> <sleep 2s> >> X-a: b >> <sleep 2s> >> ... >> >> Such requests are not rejected after 3 seconds as expected. >> Are we missing in Apache a timer for the header to complete ~ >> HeaderTimeout >> 1? >> > What you are describing above is exactly the way a "slowloris" > Denial-Of-Service attack works. > On the majority of webservers, each such client locks up one child or > thread of the webserver, for as long as it takes to complete the request. > It is quite difficult to fight this, because how do you then distinguish > a legitimate client that happens to have a slow internet connection ? > > The item #1 above, is relative to the time between > - the initial establishment of the TCP connection to Apache > - and the arrival of the first byte of the HTTP request itself > (the G of GET) > That is to avoid another type of DOS attack. > But how would Apache know in advance how many headers there are, or what > is "reasonable" as a time before a whole POST request is in ? > > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP Server Project. > See <URL:http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > > > -- View this message in context: http://www.nabble.com/Setting-the-Timeout-directive-to-refrain-a-DoS-attacks-tp24194473p24203038.html Sent from the Apache HTTP Server - Users mailing list archive at Nabble.com. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|