________________________________
From: Greg Ames Sent: Mittwoch, 24. August 2011 16:05
To: dev@httpd.apache.org
Subject: Re: Mitigation Range header
On Wed, Aug 24, 2011 at 9:01 AM, "Plüm, Rüdiger, VF-Group"
<ruediger.pl...@vodafone.com> wrote:
> Hmm - when I remove mod_deflate (i.e. explicitly as it is the
> default in all our installs) and test on a / entry which is a
> static file which is large (100k)* - then I cannot get apache
> on its knees on a freebsd machine - saturating the 1Gbit
> connection it has (Note: the attack machines *are* getting
> saturated). The moment i put in mod_deflate, mod_external
> filter, etc - it is much easier to get deplete enough
> resources to notice.
>
> Dw.
>
> *: as I cannot reproduce the issue with very small index.html
files.
Have you tried if the same happens with mod_deflate, but with
one of the
the proposed mitigations in place?
As said my guess is that this might be an issue with
mod_deflate that
is unrelated to the Range request issue.
I think mod_deflate is just the tool to convert an O(N^2) data size
problem into an O(N^2) CPU usage problem, where N is some function of
LimitRequestLine. If the file size is smaller than the largest range end used
in the attack, it may reduce the amount of data actually going down the filter
chain.
Greg
I don't think so. The compression happens before the byterange filter
and the byterange filter just hacks the already compressed brigade into more
buckets and rearranges them.
mod_deflate does not do more work if it is a range request. It does the
same amount of work as for the non range request.
Regards
Rüdiger
- Re: Mitigation Range header (Was: DoS with ... Dirk-Willem van Gulik
- RE: Mitigation Range header (Was: DoS with ... Plüm, Rüdiger, VF-Group
- Re: Mitigation Range header Florian Weimer
- Re: Mitigation Range header Dirk-WIllem van Gulik
- Re: Mitigation Range header Florian Weimer
- Re: Mitigation Range header Dirk-WIllem van Gulik
- Re: Mitigation Range header Florian Weimer
- RE: Mitigation Range header Plüm, Rüdiger, VF-Group
- Re: Mitigation Range header Dirk-WIllem van Gulik
- Re: Mitigation Range header Greg Ames
- RE: Mitigation Range header Plüm, Rüdiger, VF-Group
- Re: Mitigation Range header Greg Ames
- RE: Mitigation Range header Plüm, Rüdiger, VF-Group
- Re: DoS with mod_deflate & range reques... Jim Jagielski
- RE: DoS with mod_deflate & range reques... Plüm, Rüdiger, VF-Group
- Re: DoS with mod_deflate & range requests Roy T. Fielding
- Re: DoS with mod_deflate & range reques... Stefan Fritsch
- Re: DoS with mod_deflate & range reques... Tim Bannister
- Re: DoS with mod_deflate & range reques... Dirk-Willem van Gulik
- RE: DoS with mod_deflate & range reques... Plüm, Rüdiger, VF-Group
- Re: DoS with mod_deflate & range reques... Jim Jagielski
