Folks, See below - for the 1.3 discussion - that suggest we should take it a notch down:
On 31 Aug 2011, at 22:35, Munechika Sumikawa wrote: >>>> We're currently discussing this - and will propably adjust the >>>> announcement a bit. It is vulnerable in that it can suddenly take a >>>> lot more CPU, memory and resources when 'attacked'. And the response >>>> is worse than pure linear. But unlike 2.0 and 2.2 it does not >>>> exploded as exponential. So at this point I am expecting us to >>>> conclude that 1.3 is 'as affected' as most other servers >>>> implementing this protocol; not due to a fault in the code - but >>>> more to a fault in the protocol desgin. >>>> >>>> Does that make sense ? >>> >>> Let me confirm the code. Apache 1.3 allocates only several bytes per >>> each "byte-range" to record first-pos and last-pos. And the memory is >>> released immediately after the HTTP session is disconnected. Thus, >>> it's impossible a cracker succeed to DoS 1.3x server with the paranoia >>> range header. Am I correct? >>> >>> If so, IMO Apache 1.3's behavior should be normal case. More >>> complicated pattern based on the designed protocol eat up more >>> resources than simpler pattern. That always happens in any protocols. >>> (e.g. IP fragmentation) >>> >>> I think it's stll in scope of "linear" even though it's not "pure >>> linear". Which makes good sense. And looking at the default 1.3 configs on the standard platforms of that time - it is indeed not really apache which is at fault. Dw.