On 06/25/2009 04:01 PM, Plüm, Rüdiger, VF-Group wrote: > > >> -----Ursprüngliche Nachricht----- >> Von: Nick Kew >> Gesendet: Donnerstag, 25. Juni 2009 15:40 >> An: dev@httpd.apache.org >> Betreff: mod_noloris: mitigating against slowloris-style attack >> >> I was just thinking about a quick&dirty fix we could offer >> to admins who are suddenly concerned about DoS attack. >> >> The following, backed by dbm or memcache and assuming configurable >> default and per-host concurrent connection limits, looks like an >> outline candidate and works as a module: >> >> static int noloris_conn(conn_rec *conn) >> { >> /* kludge: just limit the number of connections per-ip */ >> /* increment num-conn-from-host >> * register pool cleanup to decrement it >> * limit = per-host-limit || default-limit >> * if (num-conn > limit) { >> * drop connection; >> * return OK; >> * } >> return DECLINED; >> } >> static void noloris_hooks(apr_pool_t *p) >> { >> ap_hook_process_connection(noloris_conn, NULL, NULL, >> APR_HOOK_FIRST); >> } >> >> Is this worth hacking up, or more trouble than it saves? > > I guess the approach is good, but there are already modules in the > wild that provide this. So the question is: Should we do our own? > BTW: I remember that there was a request a while ago to move mod_limitipconn > (one of those modules) inside httpd, but I haven't got the archives > at hand right now to check. Maybe an idea to come back to this.
The idea to move mod_limitipconn inside httpd is nearly one year old. See http://mail-archives.apache.org/mod_mbox/httpd-dev/200806.mbox/%3cpine.gso.4.64.0806181704510.11...@hatchepsut.acc.umu.se%3e http://mail-archives.apache.org/mod_mbox/httpd-dev/200808.mbox/%3cpine.gso.4.64.0808221104590.22...@hatchepsut.acc.umu.se%3e David Jao the author of the module said that the latest version is ASL2.0 licensed http://mail-archives.apache.org/mod_mbox/httpd-dev/200806.mbox/%3c485b942b.8060...@dominia.org%3e and that he would sign a software grant if needed. http://mail-archives.apache.org/mod_mbox/httpd-dev/200808.mbox/%3c48af281f.1030...@dominia.org%3e Do we need such a grant if it is ASL2.0 licensed? Does anybody see any *license* (not *technical* or *project*) issues importing it into trunk and using it as a base for a module to mitigate slowloris-style attacks? Regards Rüdiger