Rasmus Lerdorf wrote: > Nick Kew wrote: > >>> Turn on accept filtering and this problem goes away. Or at least it >>> moves to be a kernel-level issue instead of an Apache one. >> >> >> How does that work with large requests? Doesn't the whole principle >> leave you the choice of just moving the DOS attack or breaking >> pipelining? > > > You mean the httpready filter? The accept will trigger once the buffer > is full, so yes, large requests will defeat it eventually, but you still > get the benefit of not tying up an Apache process until the buffer has > been filled.
OK, that makes sense. Thanks for clarifying. > I did fix an issue last year where even with accept filtering enabled > you could DoS any Apache server by simply opening MaxClients connections > and trickling a carriage return to each connection very slowly. So for > people seeing DoS issues like this, I would suggest upgrading to the > latest version, turning on accept filtering and turning off keepalive. I have some recollection of that problem, but not the solution. It's actually somewhat topical for my client right now. You and Paul have told us about FreeBSD and Linux; is there also a Solaris equivalent? (probably not required as they're gradually upgrading it to Linux, but would be good to have). -- Nick Kew
