slowloris, accf_http and POST requests
Fabian Keil
freebsd-listen at fabiankeil.de
Tue Jun 23 15:23:29 UTC 2009
Ruben de Groot <mail25 at bzerk.org> wrote:
> On Mon, Jun 22, 2009 at 05:35:56PM -0500, Dan Nelson typed:
> > In the last episode (Jun 22), Ruben de Groot said:
> > >
> > > My main concern here is if applying the trivial patch I posted would
> > > break anything in the http protocol layer. And if not, why isn't the
> > > POST method included in the http accept filter in the first place?
> >
> > The filter wasn't designed to be an anti-DOS tool; it was an
> > optimization to save some context switches at the beginning of every
> > request. POSTs are
>
> I know this. But in this particular case, it *works* as an anti-DOS
> tool. And a pretty good one too.
How did you verify this?
accf_http doesn't require a complete request but will also
pass the connection to the userland if its buffer is full.
If you continue to send headers that will happen eventually and if
you're impatient, you simply have to send a bit more headers at the
beginning to reach the application faster.
Fabian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20090623/c2e22710/signature.pgp
More information about the freebsd-questions
mailing list