On Thu, 19 Dec 2002 16:29:15 -0500, Barry, Richard wrote:
>>>This is a classic denial-of-service which is impossible to defend against
>>>at
>>>the application level.
>> Nonsense. It's a result of a design flaw (process per connection, with
>>the
>>process assigned before the connection is validated along with a limited
>>number of processes) in the application. It could be defended against at
>>the
>>application level any number of ways.
>It doesn't matter if the design is one process per connection or one thread
>per connection. The Apache server accepts the connection and waits for data
>until a timer expires. If a malicious client has enough resources, it can
>consume all available connections until the server times them out. And then
>the client can try it all over again.
You can't sustain an "it doesn't matter" argument with a claim that begins
with "if". If the "if" isn't the case, then it does matter.
Resisting a DoS attack is about what the attacker can generate and what you
can take. If you can take more than the attacker can generate, you win. If
not, you lose.
Let's go back to how we got into this. The position I was refuting was that
this is a fundamental problem that can't be solved at the application level.
But this is utterly false -- there are any number of ways, at the application
level, that resistance to this type of denial of service attack could be
provided.
DS
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
