Mailing List Archive: Apache: Dev

Re: [Fwd: Slowloris]

Index | Next | Previous | View Threaded

dirkx at webweaving

Jun 22, 2009, 5:23 AM

Post #1 of 2 (276 views)
Permalink

Re: [Fwd: Slowloris]

(moved to dev@ - as this issue is now perfectly public).

Ben Laurie wrote:
> Dirk-Willem van Gulik wrote:
>> Ben Laurie wrote:
>>> What does that matter? If you need to do it less to Apache, then Apache
>>> is broken in comparison to the others.
>>>
>> Completely agreed - no need to get into a spitting match as to whom is
>> most broken. We had the same problem in 96 or so - and they where a
>> total pain to deal with. Options of dealing with this can be
>>
>> - Very agressive timeouts and intentionally delaying/increasing the
>> cost of
>> the TCP setup - but you are in freebsd/solaris style kernel filters.
>>
>> - Very agressive timeouts generally - but you penalize the 14k4 modem
>> users.
>>
>> - Binning users after a while in such a group - but then you penalize
>> certain
>> ISPs or NAT-blocks.
>>
>> - Not do much - but a graded response when you get resource tight; i.e.
>> start prioritizing 'active' connections over slow ones. Either by
>> making the
>> timeouts an exponentional function of the load or by some simple
>> binning
>> (which is what we did in phase 2).
>>
>> - Hand off (too) inactive conncetions to something cheaper - this is
>> what
>> we did in the final phase - using a single thread, select() loop
>> with fixed buffer
>> footprint. However that used a solaris inter process 'file
>> descriptor passing'
>> message - which I guess is out of vogue now.
>
> Why? This is actually quite in vogue for security reasons :-)

Sounds I have missed something. Blush :) (Especially after reading up on
all the work in openbsd :)!).

Having read up on it a bit - so fair to conclude that the mechanism for
passing file descriptors between processes is now a solid cross platform
thing ? But I am no seeing something easy in APR ? Do we have modules
already doing this ?

>> And really - in this
>> day and
>> age you propably want to tell your
>> switch/router/network-piece-of-kit/dog
>> to move the TCP to another machine.

And I have no idea if there are any API's for this which are cross vendor.

>> - Seriously rewrite apache/add a worker which mimics the
>> accept_filter.ko
>> of freebsd somewhat in that it as a single threaded async select() loop
>> which buffers things up until they are cooked enough (i.e. the
>> client has
>> enough skin in the game) to hand off to a real worker.
>>
>> Any more approaches possible ?

Dw

christian.folini at netnea

Jun 22, 2009, 1:46 PM

Post #2 of 2 (254 views)
Permalink

Re: [Fwd: Slowloris] [In reply to]

On Mon, Jun 22, 2009 at 02:23:12PM +0200, Dirk-Willem van Gulik wrote:
>>> - Seriously rewrite apache/add a worker which mimics the
>>> accept_filter.ko
>>> of freebsd somewhat in that it as a single threaded async select()
>>> loop
>>> which buffers things up until they are cooked enough (i.e. the
>>> client has
>>> enough skin in the game) to hand off to a real worker.

Is not this mechanism limited to HTTP and misses HTTPS? So I
do not think it can be a general solution.

I am not an apache developer, but would not the event mpm be of
some use in this case?

Otherwise, I see a lack of granular timeout values. RSnake's
latest take can be fought with a low KeepAliveTimeout
(-> http://ha.ckers.org/blog/20090620/http-longevity-during-dos/)
One should be able to assign timeouts to other request phases too.
And it should be possible to set these timeouts in a way that a
subsequent header or a single post payload byte is not resetting
them to zero again.

Just my 2 cents

Christian Folini

--
If you shut your door to all errors truth will be shut out.
--- Rabindranath Tagore

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact lists@gossamer-threads.com