https://issues.apache.org/bugzilla/show_bug.cgi?id=51103
--- Comment #3 from [email protected] 2011-04-22 12:35:33 EDT --- Hi Stefan and thanks for taking the time to look at this. (In reply to comment #1) > (In reply to comment #0) > > Steps to reproduce (A) > > ---------------------- > > 1. Launch a slow-post attack using the OWASP HTTP DoS tool > > (http://code.google.com/p/owasp-dos-http-post/downloads/list) > > http_dos_cli --host 1.2.3.4 --port 80 --path /server-status --slow-post > > --post-field j_username --connections 1000 --rate 1000 --timeout 5 > > 2. Sniff network traffic using Wireshark, observe requests being truncated > > and > > handled, resulting in a 200 return code. > > I couldn't reproduce this (but I don't have windows to actually try the tool). > Can you provide the wireshark dump (maybe filtered to only contain one > request)? Do you have mod_status listening for /server-status? I have attached a Wireshark dump to the bug report. Let me know if this is what you expected, I'm actually new to Wireshark. We have mod_status listening on /server-status and it's responding correctly when invoking with a browser. Apache is now returning a 400 code, similar to the slow-headers attack. We did tweak a few settings (disabled ModSecurity, turned off ExtendedStatus) so it might have had that effect. I will investigate further. > > Steps to reproduce (B) > > ---------------------- > > 1. Launch a slow-headers attack > > 2. Sniff network trafic using Wireshark, observe requests being dropped > > with a > > 400 code being returned. > > This happens in various situations and is fixed in trunk. The fixes should > probably be backported to 2.2.x. The relevant commits are r820760 r919323 > r937858 r938265 This is good to know. Do you have any idea when these changes will be backported or when 2.3 will be released? -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
