> -----Original Message----- > From: Stefan Fritsch > Sent: Donnerstag, 25. August 2011 08:21 > To: dev@httpd.apache.org > Subject: Re: DoS with mod_deflate & range requests > > On Thursday 25 August 2011, Jim Jagielski wrote: > > OK then... we seem to be coalescing into some consensus here... > > basically, if the client sends stuff which is brain-dead stupid, > > we simply 2000 and send the whole kit-and-kaboodle. > > > > I'd like to propose that we update the byterange filter to perform > > the following: > > > > o coalesce all adjacent ranges, whether overlapping or not. > > (eg: 200-250,251-300 & 200-250,220-300 both merge to 200-300) > > This may still confuse a broken client. Maybe we could omit that from > the 2.2 patch for now and only commit to 2.3.
Sounds like a plan. Or make it configurable with a default of off in 2.2.x and on in 2.3.x > > > o We count: > > > the number of times a gap between ranges is <80bytes > > > the number of times we hit a descendent range > > (eg: 200-1000,2000-3000,1200-1500,4000-5000 would count as > > 1) > the number of ranges total (post ascending merge) > > If any >= some config-time limit, we send a 200 > > > > This is a start and was chosen simply for ease of implementation... > > We can then expand it to be more functional... > > > > Comments? Looks good. Plus we should implement the patch from Stefan below and then we should be good. > > Please also look at the patch at > > http://mail-archives.apache.org/mod_mbox/httpd- > dev/201108.mbox/%3c201108250138.49474...@sfritsch.de%3E > > which greatly reduces the memory needed for the range requests. > BTW, I won't have time to beat that into shape today. If anyone else > has, please go ahead. > Regards Rüdiger