On Tue, Sep 1, 2009 at 5:58 AM, nikhil kohli<[email protected]> wrote:
> 1. Can we mitigate the issue using iptables only? That seems to be the conventional wisdom. > 2. Even mod_noloris.c is vulnerable to slowloris attack, will there be a > change in approach for solving this in future? People seem to be working on it from a few angles, and there are already multiple modules that address it -- I wouldn't call this one authoritative or final in any way. > 3. Is there a way to delay the process of creating connection until whole > header is received? I don't think so, can you elaborate on what you mean by creating a connection? > 4. How to check time taken by server for reading the request? The core notes the time when the request line is read, but not when all the headers are done. Modules are can easily note these times though by springing to life in the right hook. These types of questions are better posed on [email protected] > Also, may i know if apache team acknowledge slowloris as issue or not? Can't speak for anyone else, but it seems to be acknowledged mostly as a scalability/optimization issue which has already been on the radar (and only as a pressing issue at the firewall level) -- Eric Covener [email protected]
