There exists (and I know of several instances when it was successfully used) a trivial kind of DDOS attack that seems to be quite poorly handled by Apache: if multiple clients just create TCP connections to port 80 and do not send anything over those connections, it will take TimeOut (300 sec by default) to drop such a connection. So, it becomes trivial to fill all 256 slots (default MaxClients for prefork MPM) and even thousands of slots for worker MPM, therefore effectively preventing legitimate users from requesting data.
Two features IMO would help (sorry, if they were already recently added - pls refer me to appropriate directives then): - split TimeOut directive into several (which is already planned according to Apache docs: http://httpd.apache.org/docs-2.0/mod/core.html#timeout). To deal with such an attack, it is necessary to reduce "The total amount of time it takes to receive a GET request." to several seconds, but unfortunately reducing current TimeOut value to several seconds will have all kinds of ill effects, including effective inability to serve relatively big files (1M+). - implementing restriction on number of connections from single source IP (something similar to mod_conn that existed for Apache 1.3). Note: I have no idea how mod_conn was implemented, but to deal with the attack, IP session limit check must be performed _before_ GET request completed. Thx in advance __________________________________ Do you Yahoo!? Protect your identity with Yahoo! Mail AddressGuard http://antispam.yahoo.com/whatsnewfree
