On Sun, Mar 11, 2012 at 05:11:10PM +0000, Jonathan Matthews wrote:
> On 10 March 2012 07:20, Willy Tarreau <[email protected]> wrote:
> > On Wed, Mar 07, 2012 at 02:40:20PM +0000, Jonathan Matthews wrote:
> >> It seems to me that there's a trivial DoS available whenever "observe
> >> layer7" is enabled if, as I'm imagining, the set of acceptable
> >> response codes for "observe layer7" is derived from those configured
> >> for the "httpchk".
> >
> > No it's not. I've just checked in the code and we were careful to only
> > use the error statuses that a client cannot trigger :
> >
> > - < 100
> > - >= 500 except 501 and 505
> >
> > I've just updated the doc to reflect this.
>
> Thanks Willy; short of making the set of acceptable response codes
> configurable, this extra detail is exactly what's called for -
> perfect.
>
> I still think there's a slight DoS potential if an attacker discovers
> an isolated page that 5XXs, leaving the rest of the URI space being
> served just fine. I wonder if a combination of "on-error fastinter"
> and a reasonably high "error-limit" (relative to the site's lowest
> observed reqs/sec) might mitigate against this sufficiently.
>
> I suppose one might then have the problem of *non*-5XXing requests
> (e.g. favicons) getting in the way of at least ${error-limit} 5XXs
> being served consecutively in a real error scenario.
Well, I think you don't see it from the right angle. If we can find
some situations where there is a risk that a client manages to cause
a server to issue a 5xx, then :
1) it probably means the application is a bit weak and the client
is DoSing the application anyway
2) we'd then have to extend the feature to define which codes to
consider. However, until nobody reports any issue with the
existing status codes, I'd suggest not to play with this.
Relying just on error rates to expect that someone will not kill the
application is dangerous. Most sites will always have a few 5xx in a
day, due to various timeouts when trying to reach an external
component. But that's precisely why there are various "on-error"
settings.
So in short, if you think your site might be triggered into emitting
5xx, then you're probably already in situation 1 above or we might
already need to implement workaround 2, in which case right now you
shouldn't use the on-error actions. Otherwise you shouldn't worry.
Regards,
Willy
