There exists (and I know of several instances when it was successfully used) a trivial kind of DDOS attack that seems to be quite poorly handled by Apache:This has been discussed before on the list. The conclusion of the discussion has always been something like 'there are other very effective ways to DoS the server that cannot be defended against at the HTTP protocol level so implementing DoS protections in the web server is pointless'. Or something like that. However...
if multiple clients just create TCP connections to port 80 and do not send anything over those
connections, it will take TimeOut (300 sec by default) to drop such a connection. So, it becomes trivial to fill all 256 slots (default MaxClients for prefork MPM) and even thousands of slots for worker MPM, therefore effectively preventing legitimate users from requesting data.
Two features IMO would help (sorry, if they were already recently added - pls refer me to appropriate directives then): - split TimeOut directive into several (which is
already planned according to Apache docs: http://httpd.apache.org/docs-2.0/mod/core.html#timeout).
To deal with such an attack, it is necessary to reduce
"The total amount of time it takes to receive a GET request." to several seconds, but unfortunately reducing current TimeOut value to several seconds will have all kinds of ill effects, including effective inability to serve relatively big files
(1M+).
I an in favor of splitting the timeout directive into two separate directives. This seems relatively easy to do and it will protect against a trivial attack.
- implementing restriction on number of connections from single source IP (something similar to mod_conn that existed for Apache 1.3). Note: I have no idea how mod_conn was implemented, but to deal with the attack, IP session limit check must be performed _before_ GET request completed.This otoh, would play havoc with folks accessing websites via a proxy (think employees of a large company accessing internet sites. They all might look like they are coming from the same IP addr.) I would not object to someone starting an httpd subproject for a general purpose module to implement some of the defences that can be implemented at the HTTP level.
Bill
