Turn on accept filtering and this problem goes away. Or at least it moves to be a kernel-level issue instead of an Apache one.
How does that work with large requests? Doesn't the whole principle leave you the choice of just moving the DOS attack or breaking pipelining?
You mean the httpready filter? The accept will trigger once the buffer is full, so yes, large requests will defeat it eventually, but you still get the benefit of not tying up an Apache process until the buffer has been filled. The question was regarding just opening up lots of connections and letting them sit there, so the request size didn't matter in the context of the question.
And yes, if you have KeepAlive enabled, there is no protection for subsequent slow or stalled requests, but there is a KeepAlive timeout there. Most busy sites disable KeepAlive anyway since it is a DoS feature in the sense that you tend to get a lot of processes sitting around waiting on slow clients.
I did fix an issue last year where even with accept filtering enabled you could DoS any Apache server by simply opening MaxClients connections and trickling a carriage return to each connection very slowly. So for people seeing DoS issues like this, I would suggest upgrading to the latest version, turning on accept filtering and turning off keepalive.
-Rasmus
