You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by sl...@apache.org on 2006/01/17 17:56:06 UTC

svn commit: r369835 - in /httpd/httpd/trunk/docs/manual/misc: security_tips.html.en security_tips.xml security_tips.xml.ko

Author: slive
Date: Tue Jan 17 08:56:01 2006
New Revision: 369835

URL: http://svn.apache.org/viewcvs?rev=369835&view=rev
Log:
A few small anti-DoS updates including the Limit* directives.

Modified:
    httpd/httpd/trunk/docs/manual/misc/security_tips.html.en
    httpd/httpd/trunk/docs/manual/misc/security_tips.xml
    httpd/httpd/trunk/docs/manual/misc/security_tips.xml.ko

Modified: httpd/httpd/trunk/docs/manual/misc/security_tips.html.en
URL: http://svn.apache.org/viewcvs/httpd/httpd/trunk/docs/manual/misc/security_tips.html.en?rev=369835&r1=369834&r2=369835&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/misc/security_tips.html.en (original)
+++ httpd/httpd/trunk/docs/manual/misc/security_tips.html.en Tue Jan 17 08:56:01 2006
@@ -64,17 +64,17 @@
 
     
 
-    <p>All network servers are subject to denial of service atacks
+    <p>All network servers can be subject to denial of service atacks
     that attempt to prevent responses to clients by tying up the
     resources of the server.  It is not possible to prevent such
     attacks entirely, but you can do certain things to mitigate the
     problems that they create.</p>
 
-    <p>Often the most effective anti-DoS tools will be a firewall or
-    other operating-system tools.  For example, most firewalls can be
-    configured to restrict the number of simultaneous connections from
-    any individual IP address or network, thus preventing a range of
-    simple attacks.</p>
+    <p>Often the most effective anti-DoS tool will be a firewall or
+    other operating-system configurations.  For example, most
+    firewalls can be configured to restrict the number of simultaneous
+    connections from any individual IP address or network, thus
+    preventing a range of simple attacks.</p>
 
     <p>There are also certain Apache HTTP Server configuration
     settings that can help mitigate problems:</p>
@@ -85,10 +85,19 @@
       Setting this to as low as a few seconds may be appropriate.  See
       also the <code class="directive"><a href="../mod/core.html#keepalivetimeout">KeepAliveTimeout</a></code>
       directive and various timeout-related directives provided by
-      other modules.</li>
+      different modules.</li>
+
+      <li>The directives 
+      <code class="directive"><a href="../mod/core.html#limitrequestbody">LimitRequestBody</a></code>,
+      <code class="directive"><a href="../mod/core.html#limitrequestfields">LimitRequestFields</a></code>,
+      <code class="directive"><a href="../mod/core.html#limitrequestfilesize">LimitRequestFileSize</a></code>,
+      <code class="directive"><a href="../mod/core.html#limitrequestline">LimitRequestLine</a></code>, and
+      <code class="directive"><a href="../mod/core.html#limitxmlrequestbody">LimitXMLRequestBody</a></code>
+      should be carefully configured to limit resource consumption
+      triggered by client input.</li>
 
       <li>On operating systems that support it, make sure that you use
-      the <code class="directive">AcceptFilter</code> directive
+      the <code class="directive"><a href="../mod/core.html#acceptfilter">AcceptFilter</a></code> directive
       to offload part of the request processing to the operating
       system.  This is active by default in Apache httpd, but may
       require reconfiguration of your kernel.</li>

Modified: httpd/httpd/trunk/docs/manual/misc/security_tips.xml
URL: http://svn.apache.org/viewcvs/httpd/httpd/trunk/docs/manual/misc/security_tips.xml?rev=369835&r1=369834&r2=369835&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/misc/security_tips.xml (original)
+++ httpd/httpd/trunk/docs/manual/misc/security_tips.xml Tue Jan 17 08:56:01 2006
@@ -56,17 +56,17 @@
 
     <title>Denial of Service (DoS) attacks</title>
 
-    <p>All network servers are subject to denial of service atacks
+    <p>All network servers can be subject to denial of service atacks
     that attempt to prevent responses to clients by tying up the
     resources of the server.  It is not possible to prevent such
     attacks entirely, but you can do certain things to mitigate the
     problems that they create.</p>
 
-    <p>Often the most effective anti-DoS tools will be a firewall or
-    other operating-system tools.  For example, most firewalls can be
-    configured to restrict the number of simultaneous connections from
-    any individual IP address or network, thus preventing a range of
-    simple attacks.</p>
+    <p>Often the most effective anti-DoS tool will be a firewall or
+    other operating-system configurations.  For example, most
+    firewalls can be configured to restrict the number of simultaneous
+    connections from any individual IP address or network, thus
+    preventing a range of simple attacks.</p>
 
     <p>There are also certain Apache HTTP Server configuration
     settings that can help mitigate problems:</p>
@@ -77,10 +77,19 @@
       Setting this to as low as a few seconds may be appropriate.  See
       also the <directive module="core">KeepAliveTimeout</directive>
       directive and various timeout-related directives provided by
-      other modules.</li>
+      different modules.</li>
+
+      <li>The directives 
+      <directive module="core">LimitRequestBody</directive>,
+      <directive module="core">LimitRequestFields</directive>,
+      <directive module="core">LimitRequestFileSize</directive>,
+      <directive module="core">LimitRequestLine</directive>, and
+      <directive module="core">LimitXMLRequestBody</directive>
+      should be carefully configured to limit resource consumption
+      triggered by client input.</li>
 
       <li>On operating systems that support it, make sure that you use
-      the <directive mdoule="core">AcceptFilter</directive> directive
+      the <directive module="core">AcceptFilter</directive> directive
       to offload part of the request processing to the operating
       system.  This is active by default in Apache httpd, but may
       require reconfiguration of your kernel.</li>

Modified: httpd/httpd/trunk/docs/manual/misc/security_tips.xml.ko
URL: http://svn.apache.org/viewcvs/httpd/httpd/trunk/docs/manual/misc/security_tips.xml.ko?rev=369835&r1=369834&r2=369835&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/misc/security_tips.xml.ko [euc-kr] (original)
+++ httpd/httpd/trunk/docs/manual/misc/security_tips.xml.ko [euc-kr] Tue Jan 17 08:56:01 2006
@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="EUC-KR" ?>
 <!DOCTYPE manualpage SYSTEM "../style/manualpage.dtd">
 <?xml-stylesheet type="text/xsl" href="../style/manual.ko.xsl"?>
-<!-- English Revision: 105989:179703 (outdated) -->
+<!-- English Revision: 105989:369829 (outdated) -->
 
 <!--
  Copyright 2004-2005 The Apache Software Foundation or its licensors,