slowloris, accf_http and POST requests
Ruben de Groot
mail25 at bzerk.org
Tue Jun 23 08:39:50 UTC 2009
On Mon, Jun 22, 2009 at 05:35:56PM -0500, Dan Nelson typed:
> In the last episode (Jun 22), Ruben de Groot said:
> >
> > My main concern here is if applying the trivial patch I posted would break
> > anything in the http protocol layer. And if not, why isn't the POST method
> > included in the http accept filter in the first place?
>
> The filter wasn't designed to be an anti-DOS tool; it was an optimization to
> save some context switches at the beginning of every request. POSTs are
I know this. But in this particular case, it *works* as an anti-DOS tool. And a
pretty good one too.
> infrequent, always include extra trailing data after the headers, and end up
> doing more processing at the server end than plain GET or HEADs, so
> buffering the first line of the request doesn't really help much.
Well, it helps against this slowloris script. And I don't see it costing much.
> You're better off adding a request-max-time limit to your webserver, or
> doing random-drops of existing connections if you get close to your fd or
> thread limit.
I'm exploring these options as well, but they have their own drawbacks.
Anyway, since it doesn't look like I'm breaking anything by buffering the POST
headers, I'm gonna maintain this as a local patch until something better comes
along.
Thanks for your input,
Ruben
More information about the freebsd-questions
mailing list