You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by rp...@apache.org on 2006/01/17 20:58:22 UTC

svn commit: r369902 - /httpd/httpd/trunk/docs/manual/misc/security_tips.xml

Author: rpluem
Date: Tue Jan 17 11:58:19 2006
New Revision: 369902

URL: http://svn.apache.org/viewcvs?rev=369902&view=rev
Log:
* Add a sentence about DDOS.
* Mention problems with low Timeouts and long running CGIs.
* Stress out the experimental character of event MPM and that it does not
  work with ssl currently.

Modified:
    httpd/httpd/trunk/docs/manual/misc/security_tips.xml

Modified: httpd/httpd/trunk/docs/manual/misc/security_tips.xml
URL: http://svn.apache.org/viewcvs/httpd/httpd/trunk/docs/manual/misc/security_tips.xml?rev=369902&r1=369901&r2=369902&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/misc/security_tips.xml (original)
+++ httpd/httpd/trunk/docs/manual/misc/security_tips.xml Tue Jan 17 11:58:19 2006
@@ -66,7 +66,8 @@
     other operating-system configurations.  For example, most
     firewalls can be configured to restrict the number of simultaneous
     connections from any individual IP address or network, thus
-    preventing a range of simple attacks.</p>
+    preventing a range of simple attacks.  Of course this is no help
+    against Distributed Denial of Service attacks (DDoS).</p>
 
     <p>There are also certain Apache HTTP Server configuration
     settings that can help mitigate problems:</p>
@@ -74,10 +75,19 @@
     <ul>
       <li>The <directive module="core">TimeOut</directive> directive
       should be lowered on sites that are subject to DoS attacks.
-      Setting this to as low as a few seconds may be appropriate.  See
-      also the <directive module="core">KeepAliveTimeout</directive>
-      directive and various timeout-related directives provided by
-      different modules.</li>
+      Setting this to as low as a few seconds may be appropriate.
+      As <directive module="core">TimeOut</directive> is currently
+      used for several different operations, setting it to a low value
+      introduces problems with long running CGI scripts.</li>
+
+      <li>The <directive module="core">KeepAliveTimeout</directive>
+      directive may be also lowered on sites that are subject to DoS
+      attacks.  Some sites even turn off the keepalives completely via
+      <directive module="core">KeepAlive</directive>, which has of course
+      other drawbacks on performance.</li>
+
+      <li>The values of various timeout-related directives provided by
+      other modules should be checked.</li>
 
       <li>The directives 
       <directive module="core">LimitRequestBody</directive>,
@@ -103,9 +113,13 @@
 
       <li>The use of a threaded <a href="../mpm.html">mpm</a> may
       allow you to handle more simultaneous connections, thereby
-      mitigating DoS attacks.  Further, the <module>event</module> mpm
+      mitigating DoS attacks.  Further, the experimental 
+      <module>event</module> mpm
       uses asynchronous processing to avoid devoting a thread to each
-      connection.</li>
+      connection. At the current point of time this
+      is work in progress and not fully implemented.  Especially the
+      <module>event</module> mpm is currently incompatible with 
+      <module>mod_ssl</module> and other input filters.</li>
 
       <li>There are a number of third-party modules available through
       <a