I was just thinking about a quick&dirty fix we could offer
to admins who are suddenly concerned about DoS attack.
The following, backed by dbm or memcache and assuming configurable
default and per-host concurrent connection limits, looks like an
outline candidate and works as a module:
static int noloris_conn(conn_rec *conn)
{
/* kludge: just limit the number of connections per-ip */
/* increment num-conn-from-host
* register pool cleanup to decrement it
* limit = per-host-limit || default-limit
* if (num-conn > limit) {
* drop connection;
* return OK;
* }
return DECLINED;
}
static void noloris_hooks(apr_pool_t *p)
{
ap_hook_process_connection(noloris_conn, NULL, NULL, APR_HOOK_FIRST);
}
Is this worth hacking up, or more trouble than it saves?
--
Nick Kew
