On Jun 24, 2009, at 5:18 AM, Joe Orton wrote:
Regardless, the only thing I've ever wanted to see changed in the
server
which would somewhat mitigate this type of attack is to have coarser
granularity on timeouts, e.g. per-request-read, rather than simply
per-IO-operation.
++1. Timeout
On Jun 23, 2009, at 8:39 PM, Akins, Brian wrote:
On 6/23/09 12:48 AM, Paul Querna p...@querna.org wrote:
Mitagation is the wrong approach.
We all know our architecture is wrong.
Another heretical suggestion:
Lighttpd and nginx are both release under BSD-like licenses.
Hear me out.
I've
Akins, Brian wrote:
On 6/22/09 10:40 PM, Weibin Yaonbubi...@gmail.com wrote:
I have an idea to mitigate the problem: put the Nginx as a reverse proxy
server in the front of apache.
Or a device that effectively acts as such.
So what we did in the mid '90 when we where hit by pretty much the
Dirk-Willem van Gulik wrote:
So what we did in the mid '90 when we where hit by pretty much the same
was a bit simpler - any client which did not complete its headers within
a a few seconds (or whatever a SLIP connection over a few k baud or so
would need) was simply handed off by passing the
-Ursprüngliche Nachricht-
Von: Graham Leggett
Gesendet: Mittwoch, 24. Juni 2009 10:05
An: dev@httpd.apache.org
Betreff: Re: Mitigating the Slowloris DoS attack
Dirk-Willem van Gulik wrote:
So what we did in the mid '90 when we where hit by pretty
much the same
was a bit
On Mon, Jun 22, 2009 at 09:48:46PM -0700, Paul Querna wrote:
On Sun, Jun 21, 2009 at 4:10 AM, Andreas Krennmaira...@synflood.at wrote:
Hello everyone,
.
The basic principle is that the timeout for new connections is adjusted
according to the current load on the Apache instance: a load
The problem could happen also if a CL is sent and not enough data is
posted. So i don't think control for complete headers will solve the
entire problem. I'm actually playing with dynamic timeout considering
time between request line and first header to adapt future timeout of
the socket, but it
I totally agree with you.
This first point the lack of tunning of httpd.conf, this kind of attack
crash default setup of httpd.conf but a well setup server is harder to
kill, specially if you have decreased timeout. With 5 seconds as timeout
and a good tuning, slowloris fail...
More granular
* Joe Orton jor...@redhat.com [2009-06-24 11:20]:
Meh. There will always be a maximum to the number of concurrent
connections a server can handle - be that hardware, kernel, or server
design. If you allow a single client to establish that number of
connections it will deny service to other
M == Matthieu Estrade mestr...@apache.org writes:
M More granular timeout and maybe adaptative timeout is also IMHO a good
M way to improve resistance to this kind of attack.
The current 1.3, 2.0 and 2.2 documentation is in agreement too!
I believe the ssl module also takes its timeout value
2009/6/24 Kevin J Walters kevin.walt...@morganstanley.com:
M == Matthieu Estrade mestr...@apache.org writes:
M More granular timeout and maybe adaptative timeout is also IMHO a good
M way to improve resistance to this kind of attack.
The current 1.3, 2.0 and 2.2 documentation is in
On 6/22/09 10:40 PM, Weibin Yao nbubi...@gmail.com wrote:
I have an idea to mitigate the problem: put the Nginx as a reverse proxy
server in the front of apache.
Or a device that effectively acts as such.
--
Brian Akins
Chief Operations Engineer
Turner Digital Media Technologies
On 6/23/09 12:48 AM, Paul Querna p...@querna.org wrote:
Mitagation is the wrong approach.
We all know our architecture is wrong.
Another heretical suggestion:
Lighttpd and nginx are both release under BSD-like licenses.
Hear me out.
I've actually been thinking how possible would it be to
* Guenter Knauf fua...@apache.org [2009-06-22 04:30]:
wouldnt limiting the number of simultanous connections from one IP
already help? F.e. something like:
http://gpl.net.ua/modipcount/downloads.html
Not only would this be futile against the Slowloris attack (imagine n
connections from n
Guenter Knauf wrote:
Hi Andreas,
Andreas Krennmair schrieb:
For those who are still unaware of the Slowloris attack, it's a
denial-of-service attack that consumes Apache's resources by opening up
a great number of parallel connections and slowly sending partial
attack including a PoC
Andreas Krennmair wrote:
* Guenter Knauf fua...@apache.org [2009-06-22 04:30]:
wouldnt limiting the number of simultanous connections from one IP
already help? F.e. something like:
http://gpl.net.ua/modipcount/downloads.html
Not only would this be futile against the Slowloris attack
Hi,
How about coding a module looking how many bytes are read and if there
is too little chunk of data, close the connection.
Something like a MinDataReadSize. If the read() function read too little
data, close() the socket... Dunno if it's possible to hook directly in
connection hook to do
William A. Rowe, Jr. at 2009-6-23 2:00 wrote:
Andreas Krennmair wrote:
* Guenter Knauf fua...@apache.org [2009-06-22 04:30]:
wouldnt limiting the number of simultanous connections from one IP
already help? F.e. something like:
http://gpl.net.ua/modipcount/downloads.html
Not
2009/6/23 Weibin Yao nbubi...@gmail.com:
William A. Rowe, Jr. at 2009-6-23 2:00 wrote:
Andreas Krennmair wrote:
* Guenter Knauf fua...@apache.org [2009-06-22 04:30]:
wouldnt limiting the number of simultanous connections from one IP
already help? F.e. something like:
On Sun, Jun 21, 2009 at 4:10 AM, Andreas Krennmaira...@synflood.at wrote:
Hello everyone,
.
The basic principle is that the timeout for new connections is adjusted
according to the current load on the Apache instance: a load percentage is
computed in the perform_idle_server_maintenance()
On Mon, Jun 22, 2009 at 9:07 PM, Graham
Dumpletongraham.dumple...@gmail.com wrote:
2009/6/23 Weibin Yao nbubi...@gmail.com:
William A. Rowe, Jr. at 2009-6-23 2:00 wrote:
Andreas Krennmair wrote:
* Guenter Knauf fua...@apache.org [2009-06-22 04:30]:
wouldnt limiting the number of
Hi Andreas,
Andreas Krennmair schrieb:
For those who are still unaware of the Slowloris attack, it's a
denial-of-service attack that consumes Apache's resources by opening up
a great number of parallel connections and slowly sending partial
requests, never completing them. Since Apache limits
2009/6/22 Guenter Knauf fua...@apache.org:
Hi Andreas,
Andreas Krennmair schrieb:
For those who are still unaware of the Slowloris attack, it's a
denial-of-service attack that consumes Apache's resources by opening up
a great number of parallel connections and slowly sending partial
23 matches
Mail list logo