> You mean the httpready filter? The accept will trigger once the buffer > is full, so yes, large requests will defeat it eventually, but you still > get the benefit of not tying up an Apache process until the buffer has > been filled. The question was regarding just opening up lots of > connections and letting them sit there, so the request size didn't > matter in the context of the question. > > And yes, if you have KeepAlive enabled, there is no protection for > subsequent slow or stalled requests, but there is a KeepAlive timeout > there. Most busy sites disable KeepAlive anyway since it is a DoS > feature in the sense that you tend to get a lot of processes sitting > around waiting on slow clients. > > I did fix an issue last year where even with accept filtering enabled > you could DoS any Apache server by simply opening MaxClients connections > and trickling a carriage return to each connection very slowly. So for > people seeing DoS issues like this, I would suggest upgrading to the > latest version, turning on accept filtering and turning off keepalive. >
I haven't been able to enable acceptfilters on linux. Where can i get a howto or some info ? > -Rasmus >
