On Sunday 18 October 2009, Bojan Smojver wrote: > The idea here is that a busy server is highly unlikely to be stuck > reading using all its children over a maintenance interval (i.e. we > expect at least one of those readers to turn into something else > during the interval).
An attacker can easily circumvent this by opening one connection that slowly downloads a large file. Checking for a certain percentage of all children would be better. However, there is a real problem with all approaches that look for SERVER_BUSY_READ: The attacker can just use a URL that accepts POST requests and send the request body very slowly. These connections have the state SERVER_BUSY_WRITE. This problem affects mod_antiloris and mod_noloris, too (but not mod_reqtimeout). Maybe another state SERVER_BUSY_READ_BODY could be introduced? Or the state could be changed to SERVER_BUSY_READ again when the request body is read? I haven't checked how difficult this would be, though.
