dirkx at webweaving
Jun 22, 2009, 5:23 AM
Views: 271
Permalink
|
(moved to dev@ - as this issue is now perfectly public).
Ben Laurie wrote:
> Dirk-Willem van Gulik wrote:
>> Ben Laurie wrote:
>>> What does that matter? If you need to do it less to Apache, then Apache
>>> is broken in comparison to the others.
>>>
>> Completely agreed - no need to get into a spitting match as to whom is
>> most broken. We had the same problem in 96 or so - and they where a
>> total pain to deal with. Options of dealing with this can be
>>
>> - Very agressive timeouts and intentionally delaying/increasing the
>> cost of
>> the TCP setup - but you are in freebsd/solaris style kernel filters.
>>
>> - Very agressive timeouts generally - but you penalize the 14k4 modem
>> users.
>>
>> - Binning users after a while in such a group - but then you penalize
>> certain
>> ISPs or NAT-blocks.
>>
>> - Not do much - but a graded response when you get resource tight; i.e.
>> start prioritizing 'active' connections over slow ones. Either by
>> making the
>> timeouts an exponentional function of the load or by some simple
>> binning
>> (which is what we did in phase 2).
>>
>> - Hand off (too) inactive conncetions to something cheaper - this is
>> what
>> we did in the final phase - using a single thread, select() loop
>> with fixed buffer
>> footprint. However that used a solaris inter process 'file
>> descriptor passing'
>> message - which I guess is out of vogue now.
>
> Why? This is actually quite in vogue for security reasons :-)
Sounds I have missed something. Blush :) (Especially after reading up on
all the work in openbsd :)!).
Having read up on it a bit - so fair to conclude that the mechanism for
passing file descriptors between processes is now a solid cross platform
thing ? But I am no seeing something easy in APR ? Do we have modules
already doing this ?
>> And really - in this
>> day and
>> age you propably want to tell your
>> switch/router/network-piece-of-kit/dog
>> to move the TCP to another machine.
And I have no idea if there are any API's for this which are cross vendor.
>> - Seriously rewrite apache/add a worker which mimics the
>> accept_filter.ko
>> of freebsd somewhat in that it as a single threaded async select() loop
>> which buffers things up until they are cooked enough (i.e. the
>> client has
>> enough skin in the game) to hand off to a real worker.
>>
>> Any more approaches possible ?
Dw
|
Re: [Fwd: Slowloris]
