On Nov 22, 2007 11:13 AM, Sam Testuser <[EMAIL PROTECTED]> wrote: > Joshua Slive <[EMAIL PROTECTED]> wrote: > > Apache httpd does log when a connection hits a TimeOut. (Or if it > doesn't, that is certainly a bug that should be reported.) So I don't > really understand the premise here. > If you hit the timeout, the request is logged in the error log at loglevel > error. > That much is true. But it is not very difficult to work around the timeout. > It is usually reset after every TCP package as it is being recieved. Even > for > the header phase on those apache servers I checked. (However, the > documentation advertises "The total amount of time it takes to receive a GET > request.") > > If I work around the timeout n times and finally send a valid request, > then I am able to block a thread/process for n * timeout - 1 and nothing > appears in the logfile. There are the header limit directives, but it is > hardly possible to set them to very low values and besides: who > cares about headers, when there is a request body do be slowed down. > > As a sidenote: netstat on Linux reveals a few interesting timing infos. > Other operation systems seem to be less verbose in this regard.
Ok. I see the issue better now. But what really is the point in trying to eliminate the client who dribbles out data in order to get around the TimeOut? If you are performing a DDoS, you can easily behave just like an ordinary client (requesting real files), and thereby be almost undetectable. Why bother playing silly timeout tricks? Joshua. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
