2014-09-06 18:02 GMT+04:00 Adam Chlipala <[email protected]>: > On 09/06/2014 05:49 AM, Sergey Mironov wrote: >> 4_of_4_Introduce_recv_timeout_controlled_by___T__option_in_http_c.patch > It seems like an OK idea to include this style of timeout, but: > 1) The approach still seems naive. The attacker can instead send one byte > every few seconds and do a lot of damage! > 2) I've been assuming serious deployments will be behind popular HTTP > servers like Apache, using FastCGI to connect to Ur/Web apps, so that the > security measures of those HTTP servers are applied "for free".
Agree. Probably, I shouldn't call this patch 'a DDoS protection'. I did face a timeout problem while running http.c-based application in the Internet. I think it was something like mad or broken internet scanner rather than a _real_ attack, but it was able to mute the application. The timeout patch seems to add some amount of resistance so the application became stable in neutral environment. To protect it against hostile clients one really should use special tools. Regards, Sergey _______________________________________________ Ur mailing list [email protected] http://www.impredicative.com/cgi-bin/mailman/listinfo/ur
