You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2011/03/04 13:25:57 UTC
DO NOT REPLY [Bug 50870] New: Content-Lenght specified in a GET
request makes the listener to wait until the timeout.
https://issues.apache.org/bugzilla/show_bug.cgi?id=50870
Summary: Content-Lenght specified in a GET request makes the
listener to wait until the timeout.
Product: Apache httpd-2
Version: 2.2.17
Platform: Sun
OS/Version: Solaris
Status: NEW
Severity: normal
Priority: P2
Component: Core
AssignedTo: bugs@httpd.apache.org
ReportedBy: enrico.fusi@gmail.com
It seems possible to make the apache child to wait until the timeout if the
Content-Lenght is specified inside a GET request. I perfectly know that the
RFC2616 is not explicitely forbidding to provide a content-lenght to the GET
request. The problem is a GET request with a content-lenght just takes some
dozens of bytes, and then this makes that easy to produce DDOS.
This makes possible , expecially in the prefork configuration, to easily make
all the childs busy in a server with some KB/s of bandwidth.
This happens even forbidding to have a Content-Lenght in the GET request with a
rewriterules, or to setting mod_security to block this: the listener stays busy
until the timeout expires.
This is an example with 90 secs of timeout. To reproduce it is easy.
time curl -v someserver:80 -H'Content-Length: 59'
* About to connect() to localhost port 13091
* Trying 127.0.0.1... connected
* Connected to localhost (127.0.0.1) port 13091
> GET / HTTP/1.1
> User-Agent: curl/7.15.3 (sparc-sun-solaris2.9) libcurl/7.15.3 OpenSSL/0.9.8a zlib/1.2.3
> Host: someserver:80
> Accept: */*
> Content-Length: 59
>
< HTTP/1.1 403 Forbidden
< Date: Fri, 04 Mar 2011 11:51:26 GMT
< Content-Length: 202
< Connection: close
< Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /
on this server.</p>
</body></html>
* Closing connection #0
real 1m30.862s
user 0m0.028s
sys 0m0.032s
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 50870] Content-Lenght specified in a GET request
makes the listener to wait until the timeout.
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=50870
Eric Covener <co...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |INVALID
--- Comment #1 from Eric Covener <co...@gmail.com> 2011-03-04 07:46:28 EST ---
This seems to be working as designed, Apache waits for the request to complete
for as long as you configure it. For more fine grained control, use
mod_reqtimeout.
In the case of your rewrites, Apache is waiting to drain the body so the client
will be sure to read the error.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org