tor 2006-09-21 klockan 12:18 +0200 skrev Plüm, Rüdiger, VF EITO: > IMHO this waits for a DoS to happen if the requestor can trick the backend > to get stuck with the request. So one request of this type would be sufficient > to DoS the whole server if the timeout is not very short.
How would this be more of a DoS than just flooding the proxy with connections to a non-existing server? The delay is per URL, not a while requested site. Sure, an attacker can use this to make it look like a site with this problem is non-responsive for users via the cache, but it's not that difficult to handle. Maybe you already do what we do in Squid: ignore the cache on "reload" request. Solves the problem quite nicely. However, in Squid we do start transmitting what is available immediately, but our design is somewhat different. To avoid DoS all you need to do is keep monitoring the client connection, and abort if the client aborts while waiting for the entity to become available. Regards Henrik
signature.asc
Description: Detta är en digitalt signerad meddelandedel