fredk2 wrote:
Would'nt you think that a (simple) timer for the header could fend off some
of the effect. Can't we assume that if it takes more than 3 second to enter
the header we do not want that client (i'll have to learn to type faster in
telnet :-).
For the headers, I think it might help.
But I'm sure that then the attack would switch to sending the headers
fast, and then a long POST body, veeeeery slowly...
On another track, it seems that the "Event MPM" model of Apache also is
relatively insensitive to the slowloris thing.
Thanks - Fred
awarnier wrote:
fredk2 wrote:
Hi,
http://httpd.apache.org/docs/2.2/mod/core.html#timeout says:
The TimeOut directive currently defines the amount of time Apache will
wait
for three things
1. The total amount of time it takes to receive a GET request
...
1. seems to be misleading, tests with "Timeout 3" does not appear very
effective.
For example:
GET / HTTP/1.1
Host: foo
<sleep 2s>
X-a: b
<sleep 2s>
...
Such requests are not rejected after 3 seconds as expected.
Are we missing in Apache a timer for the header to complete ~
HeaderTimeout
1?
What you are describing above is exactly the way a "slowloris"
Denial-Of-Service attack works.
On the majority of webservers, each such client locks up one child or
thread of the webserver, for as long as it takes to complete the request.
It is quite difficult to fight this, because how do you then distinguish
a legitimate client that happens to have a slow internet connection ?
The item #1 above, is relative to the time between
- the initial establishment of the TCP connection to Apache
- and the arrival of the first byte of the HTTP request itself
(the G of GET)
That is to avoid another type of DOS attack.
But how would Apache know in advance how many headers there are, or what
is "reasonable" as a time before a whole POST request is in ?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
" from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
" from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
