On 30 April 2013 11:14, Reindl Harald <h.rei...@thelounge.net> wrote: > Am 30.04.2013 12:03, schrieb André Warnier: >> As a general idea thus, anything which impacts the delay to obtain a 404 >> response, should >> impact these bots much more than it impacts legitimate users/clients. >> >> How much ? >> >> Let us imagine for a moment that this suggestion is implemented in the >> Apache webservers, >> and is enabled in the default configuration. And let's imagine that after a >> while, 20% of >> the Apache webservers deployed on the Internet have this feature enabled, >> and are now >> delaying any 404 response by an average of 1000 ms > > which is a invitation for a DDOS-attack because it would > make it easier to use every available worker and by the > delay at the same time active iptables-rate-controls > get useless because you need fewer connections for the > same damage > > no - this idea is very very bad and if you ever saw a > DDOS-attack from 10 thousands of ip-addresses on a > machine you maintain you would not consider anything > which makes responses slower because it is the wrong > direction
There's no reason to make this a DoS vector - clearly you can queue all the delayed responses in a single process and not tie up available processes. And if that process gets full, you just drop them on the floor.
