On Wed, Jul 1, 2009 at 9:49 AM, Nick Kew<[email protected]> wrote:
> Gonzalo Arana wrote:
>>
>> Hi,
>>
>> Keeping whitelist up to date is rather tricky.
>>
>> How about having any/all of these directives?
>>
>> # time between accept(2) call and the full request has been read.
>> RequestTimeout 1
>>
>> # minimum bandwith the user should have available to access this server.
>> MinInRate 2KB/s
>> MinOutRate 3KB/s
>
> That'll completely exclude people on slow connections!
The RequestTimeout could aid in telling appart slow connections from
slowloris attack.
Is there any other way to tell apart a slow connection from slowloris
attack without keeping a whitelist?
The purpose of having this value tunable via a directive is to let any
sysadmin to change this value.
> But it's something you could implement in a bandwidth-management
> module.
I agree.
>> One extra note: it would be good to let these Min{In,Out}Rate be
>> overriden for large files (audio/video files, for instance).
>
> You don't have anything as specific as a file in a slowloris-type
> attack. You appear to be envisaging something much closer to
> various (existing, third-party) bandwidth-management modules.
I know the slowloris attack do not depend on the file size.
MinOutRate could be raised on some cases anyway.
These directives resemble bandwith-managment, but wouldn't this help
on the slowloris attack, without adding the need for a whitelist
managment?
>
> --
> Nick Kew
>
Best regards,
--
Gonzalo A. Arana
