On 10 March 2012 07:20, Willy Tarreau <[email protected]> wrote:
> On Wed, Mar 07, 2012 at 02:40:20PM +0000, Jonathan Matthews wrote:
>> It seems to me that there's a trivial DoS available whenever "observe
>> layer7" is enabled if, as I'm imagining, the set of acceptable
>> response codes for "observe layer7" is derived from those configured
>> for the "httpchk".
>
> No it's not. I've just checked in the code and we were careful to only
> use the error statuses that a client cannot trigger :
>
> - < 100
> - >= 500 except 501 and 505
>
> I've just updated the doc to reflect this.
Thanks Willy; short of making the set of acceptable response codes
configurable, this extra detail is exactly what's called for -
perfect.
I still think there's a slight DoS potential if an attacker discovers
an isolated page that 5XXs, leaving the rest of the URI space being
served just fine. I wonder if a combination of "on-error fastinter"
and a reasonably high "error-limit" (relative to the site's lowest
observed reqs/sec) might mitigate against this sufficiently.
I suppose one might then have the problem of *non*-5XXing requests
(e.g. favicons) getting in the way of at least ${error-limit} 5XXs
being served consecutively in a real error scenario.
Hmmm.
Jonathan
--
Jonathan Matthews
London, UK
http://www.jpluscplusm.com/contact.html
