You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Bojan Smojver <bo...@rexursive.com> on 2009/07/05 02:20:00 UTC

LimitRequestRate configuration directive?

Just wondering, if it would be useful to have a LimitRequestRate
configuration directive, which would then mitigate against Slowloris and
friends?

For instance, if Timeout is 5 seconds, Slowloris will push 8 bytes
through the pipe every 5 seconds (X-a: b\r\n), giving it the rate of 1.6
bytes per second. Quite obviously, this kind of input rate is not
something today's machines and networks are experiencing on a regular
basis, so requiring say 100 bytes per second or more in this scenario
would help against this kind of attack. In combination with other Limit
directives, the attacker would hit disconnect much faster, hopefully
giving legitimate clients more chance to get a thread/process.

Disclaimer: not a security expert by any stretch of imagination.
Bullshit filter advised :-)

-- 
Bojan