Re: svn commit: r917211 - in /httpd/httpd/branches/2.2.x: ./ build/ docs/manual/mod/ modules/filters/ os/win32/

[Jeff Trawick <tr...@gmail.com>]

On Sun, Feb 28, 2010 at 12:25 PM,  <sf...@apache.org> wrote:
> Author: sf
> Date: Sun Feb 28 17:25:44 2010
> New Revision: 917211
>
> URL: http://svn.apache.org/viewvc?rev=917211&view=rev
> Log:
> Backport mod_reqtimeout from trunk.
>
> Reviewed by: sf, jorton, rjung
>
> To take trawick's comment into account, I have changed enabled=yes into
> enabled=most.

(Thanks; sorry for not following up yet on your earlier response.)

BTW, what is experimental about it?

a. code not battle hardened
b. design or even directives are a guess at what might really be needed
(I don't know how we mitigate that within a stable branch)
c. ???

Re: svn commit: r917211 - in /httpd/httpd/branches/2.2.x: ./ build/ docs/manual/mod/ modules/filters/ os/win32/

[Stefan Fritsch <sf...@sfritsch.de>]

On Monday 01 March 2010, Jeff Trawick wrote:
> BTW, what is experimental about it?
> 
> a. code not battle hardened
> b. design or even directives are a guess at what might really be
>  needed (I don't know how we mitigate that within a stable branch)
>  c. ???

Mostly a. AFAIK, it hasn't been tested on any really busy site yet. 
And there are lots of weird http clients out there. And there may 
still be other issues in it, besides the AP_MODE_GETLINE problem I 
described in the reply to Gregg L. Smith.

About b: mod_reqtimeout is a big step towards making slowloris-type 
DoS attacks more difficult. We will have to see if it is enough.

In any case it is a useful addition to httpd. I have encountered one 
case where a buggy client was accidentally DoSing a web server by 
creating lots of tcp connections via CONNECT. As it was coming through 
a proxy chain belonging to different administrative domains in two 
countries, it took quite some time to find out which client was 
causing the problem. In that case mod_reqtimeout would have been 
really useful as short-term mitigation.