On Sun, Feb 13, 2011 at 4:00 PM, Graham Leggett <[email protected]> wrote: > On 14 Feb 2011, at 1:56 AM, Paul Querna wrote: > >> Additionally, this should be a configurable behavior. >> >> Lets say you run a popular website that depends on mod_cache to >> protect backend systems from complete overload. >> >> All you need to do now as an attacker is POST / DELETE to / or another >> important URL every 200ms, and the cache becomes invalidated, causing >> a flood of requests to backends that might not be able to support it. >> >> Thoughts? > > How is this different from "Cache-Control: no-cache" in the request?
It does a single request to the backend, but doesn't _invalidate_ the existing cache, which would cause a flood of other, non-attacker clients to come in.
