On 09/06/2014 05:49 AM, Sergey Mironov wrote:
Hi. Let me post a few more patches dealing with security.
Thanks! They're all pushed to the main repo now.
4_of_4_Introduce_recv_timeout_controlled_by___T__option_in_http_c.patch
The most important one: I found that http.c-based applications suffer
from a kind of DDoS attacks where attacker opens connections to the
application, but sends no data. As soon as all threads block in their
[recv]s, application stops answering requests. This patch helps to
protect the application by setting up a timeout for recv and an option
to control it.
It seems like an OK idea to include this style of timeout, but:
1) The approach still seems naive. The attacker can instead send one
byte every few seconds and do a lot of damage!
2) I've been assuming serious deployments will be behind popular HTTP
servers like Apache, using FastCGI to connect to Ur/Web apps, so that
the security measures of those HTTP servers are applied "for free".
_______________________________________________
Ur mailing list
[email protected]
http://www.impredicative.com/cgi-bin/mailman/listinfo/ur
