> Posted to users@ (as well as dev@) in case anyone wants to > report experiences - good or bad - on using it. I have tried using various Apache modules to address possibilities of Slowloris attacks. Finally, after not being satisfied with what existing modules had to offer, I ended up using operating system firewall rules to limit the number of concurrent TCP connections from any given IP address. The firewall solution (using OpenBSD Packet Filter) was not perfect either, because connections in a FIN_WAIT_2 state are counted towards the "open connection number", and they linger for about a minute. What I really wanted was a limit on the number of established TCP connections from any single IP address. The problem I had with existing Apache modules (I forget which ones exactly I tried) is that they forked a child process for incoming connections, and then only after forking did they close the connection under certain conditions. What I really wanted was the ability to _not_ fork a child process for an incoming TCP connection from an IP address if there already exist N number of established TCP connections from that IP address. Perhaps due to the limitations of Apache's architecture (??) it's not possible to control whether a TCP connection causes a fork (??) via custom module. Since Apache forks always, regardless of what the anti-loris modules did afterwards, the max children in Apache can be reached quickly and that would cause a denial of service until the children would be freed up. Is it possible to write a module that prevents a fork altogether as described? --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|