On 09/01/2009 08:42 AM, Stefan Fritsch wrote: > On Tuesday 01 September 2009, Nick Kew wrote:
> >>> - Apache should respond with HTTP_REQUEST_TIME_OUT and not >>> HTTP_BAD_REQUEST when there is a timeout reading the request. >> In the slowloris case, it needs to time out before there's any such >> thing as an HTTP request, so it won't be sending an HTTP response. >> But I guess you're talking about the body timeout? > > No, about the request. When apache has received at least one line of > the request, it currently responds with HTTP_BAD_REQUEST when there is > a timeout before the complete request was read. In this case > HTTP_REQUEST_TIME_OUT is more appropriate. It means "the client did > not produce a request within the time that the server was prepared to > wait". Is this just regarding better logging on the server side? Otherwise I wouldn't care too much what we sent to an attacker. Regards RĂ¼diger
