DO NOT REPLY [Bug 51103] New: mod_reqtimeout does not drop connection and return 408

Thu, 21 Apr 2011 12:02:23 -0700 

https://issues.apache.org/bugzilla/show_bug.cgi?id=51103

           Summary: mod_reqtimeout does not drop connection and return 408
           Product: Apache httpd-2
           Version: 2.2.17
          Platform: Sun
        OS/Version: Solaris
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_reqtimeout
        AssignedTo: [email protected]
        ReportedBy: [email protected]


Overview
--------
The mod_reqtimeout module is not dropping connections and returning 408 when
dealing with "slow http header" or "slow http body" requests.  Instead, it is
either truncating the request and handling it, or dropping the request with a
400 status code.

Steps to reproduce (A)
----------------------
1. Launch a slow-post attack using the OWASP HTTP DoS tool
(http://code.google.com/p/owasp-dos-http-post/downloads/list)
http_dos_cli --host 1.2.3.4 --port 80 --path /server-status --slow-post
--post-field j_username --connections 1000 --rate 1000 --timeout 5
2. Sniff network traffic using Wireshark, observe requests being truncated and
handled, resulting in a 200 return code.

Steps to reproduce (B)
----------------------
1. Launch a slow-headers attack
2. Sniff network trafic using Wireshark, observe requests being dropped with a
400 code being returned.

Expected behavior
-----------------
Request is dropped and a 408 status code is returned.

Actual behavior
---------------
Request is dropped and a 400 status code is returned OR request is truncated
and handled normally.

Platform
--------
Software: Apache 2.2.17 (MPM-worker)
OS: Solaris 5.10 32-bit
Hardware: Sun SPARC

Additional information
----------------------

mod_reqtimeout configuration
RequestReadTimeout header=10-20,MinRate=500 body=10-20,MinRate=500

ModSecurity 2.5.13 is also configured.

Apache debug logs show that incoming requests time out:

[Tue Apr 19 08:55:09 2011] [info] [client 5.6.7.8] Request header read
timeout
[Tue Apr 19 08:55:09 2011] [error] [client 5.6.7.8] request failed: error
reading the headers

OR

[Tue Apr 19 09:01:20 2011] [info] [client 5.6.7.8] Request body read timeout

---

Thanks!

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to