On Tuesday 01 September 2009, Ruediger Pluem wrote: > >>> - Apache should respond with HTTP_REQUEST_TIME_OUT and not > >>> HTTP_BAD_REQUEST when there is a timeout reading the request. > >> > >> In the slowloris case, it needs to time out before there's any > >> such thing as an HTTP request, so it won't be sending an HTTP > >> response. But I guess you're talking about the body timeout? > > > > No, about the request. When apache has received at least one line > > of the request, it currently responds with HTTP_BAD_REQUEST when > > there is a timeout before the complete request was read. In this > > case HTTP_REQUEST_TIME_OUT is more appropriate. It means "the > > client did not produce a request within the time that the server > > was prepared to wait". > > Is this just regarding better logging on the server side? Otherwise > I wouldn't care too much what we sent to an attacker.
Well, if there is a legitimate client who is too slow, it's better to send him a meaningful error message. But it's not that important, of course.
