On Sun, 2009-10-18 at 10:37 +0200, Stefan Fritsch wrote: > An attacker can easily circumvent this by opening one connection that > slowly downloads a large file. Checking for a certain percentage of > all children would be better.
Yeah, I was thinking of that too - just wanted to err on the side of caution by having the lot in read state. We can also create a checksum of pids/states and if this is the same second time around, pronounce it under attack (combined with percentage). > However, there is a real problem with all approaches that look for > SERVER_BUSY_READ: The attacker can just use a URL that accepts POST > requests and send the request body very slowly. These connections > have > the state SERVER_BUSY_WRITE. This problem affects mod_antiloris and > mod_noloris, too (but not mod_reqtimeout). > > Maybe another state SERVER_BUSY_READ_BODY could be introduced? Or the > state could be changed to SERVER_BUSY_READ again when the request > body > is read? I haven't checked how difficult this would be, though. Yeah, that part sucks. But the real deal is that there is a finite amount of resources we have (be that sockets, threads or processes) and we need to decide how we are willing to dole these out. -- Bojan
