Are there *new* security implications of allowing keep-alive?

Slowloris DoS comes to mind:
https://en.wikipedia.org/wiki/Slowloris_(computer_security)

And the article mentions a number of tools.

Older devices are likely somewhat trivially DoS-able without this patch;
but maybe include a config option to disable keep-alive?

What happens to RAM and CPU usage when there are multiple tabs open with
keep-alive on?

On Fri, Mar 13, 2020, 8:20 AM Jo-Philipp Wich <j...@mein.io> wrote:

> Allow POST requests via persistent connections to improve performance
> especially when using HTTPS on older devices.
>
> After this change, average page load times in LuCI improve significantly
> once the TLS connections are initiated.
>
> When testing an ar71xx 19.07.2 build on an ethernet connected TL-WR1043nd
> using luci-ssl-openssl and the ustream-openssl backend, the average page
> load time for the main status page decreased to 1.3s compared to 4.7s
> before, the interface and wireless configuration pages loaded in 1.2s
> seconds each compared to the 4.2s and 4.9s respectively before.
>
> Signed-off-by: Jo-Philipp Wich <j...@mein.io>
> ---
>  client.c | 3 +--
>  1 file changed, 1 insertion(+), 2 deletions(-)
>
> diff --git a/client.c b/client.c
> index 92f7609..2a2393f 100644
> --- a/client.c
> +++ b/client.c
> @@ -194,8 +194,7 @@ static int client_parse_request(struct client *cl,
> char *data)
>
>         req->method = h_method;
>         req->version = h_version;
> -       if (req->version < UH_HTTP_VER_1_1 || req->method ==
> UH_HTTP_MSG_POST ||
> -           !conf.http_keepalive)
> +       if (req->version < UH_HTTP_VER_1_1 || !conf.http_keepalive)
>                 req->connection_close = true;
>
>         return CLIENT_STATE_HEADER;
> --
> 2.25.1
>
>
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel@lists.openwrt.org
> https://lists.openwrt.org/mailman/listinfo/openwrt-devel
>
_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

Reply via email to