Bill Stoddard wrote:
My thinking on how to solve this has changed over the past year or
so... there are numerous ways to DoS an httpd server and you can't
protect against the more effective attacks at the httpd layer.
I forgot the punch line here but hopefully it's obvious where I'm
heading... apr_sendfile on windows performs badly because of a
misguided attempt at mitigating a particular DoS attack against the
server and the cure is worse than the disease. We should change
apr_sendfile to perform optimally on Windows w/o concern for httpd level
DoS attacks.
Yup. It's definately worth considering your alternatives. It's also
worth looking at what socket-level timeouts exist, or if we can start
plugging in some higher-level timeout within the MPM. When a process
does nothing in certain phases of the request cycle after some timeout,
simply close the socket from underneath APR.
So how to figure out if we are making progress? I'm unsure and this
all deserves another look at the current state of the Win32 sockets API,
I haven't fallen down that well in a good long time :)
Of course async would be wonderful, at some point, as apache 3.0 starts
to draw interest.
Bill
