Plüm, Rüdiger, VF-Group wrote:
Is this worth hacking up, or more trouble than it saves?
I guess the approach is good, but there are already modules in the
wild that provide this. So the question is: Should we do our own?
BTW: I remember that there was a request a while ago to move mod_limitipconn
(one of those modules) inside httpd, but I haven't got the archives
at hand right now to check. Maybe an idea to come back to this.
mod_limitipconn works at the request level, so won't help with
slowloris-style attacks. Same goes for mod_evasive - someone
posted "mod_evasive doesn't help" on users@, and that'll be why.
I'm not sure whether any of the traffic-management modules
work on connections (anyone know)? If so, then yes, we could
just point to them as a fix until we produce something better
than mod_noloris.
--
Nick Kew
