On 30 April 2013 11:29, Graham Leggett <minf...@sharp.fm> wrote: > On 30 Apr 2013, at 12:03 PM, André Warnier <a...@ice-sa.com> wrote: > >> The only cost would a relatively small change to the Apache webservers, >> which is what my >> suggestion consists of : adding a variable delay (say between 100 ms and >> 2000 ms) to any >> 404 response. > > This would have no real effect. > > Bots are patient, slowing them down isn't going to inconvenience a bot in any > way. The simple workaround if the bot does take too long is to simply send > the requests in parallel.
Disagree. Raising the bar reduces volume. In general, I hate the argument that improvement X has obvious workaround A and therefore we should not bother with it. It's absolutely impossible to make forward progress in security with that attitude. Every defence is defeatable (says experience) yet some are still worth putting in place. > At the same time, slowing down 404s would break real websites, as 404 isn't > necessarily an error, but rather simply a notice that says the resource isn't > found. > > Regards, > Graham > -- >
