Re: [Fwd: Slowloris]

(moved to dev@ - as this issue is now perfectly public).

Ben Laurie wrote:

Dirk-Willem van Gulik wrote:

Ben Laurie wrote:

What does that matter? If you need to do it less to Apache, then Apache
is broken in comparison to the others.

Completely agreed - no need to get into a spitting match as to whom is
most broken. We had the same problem in 96 or so - and they where a
total pain to deal with. Options of dealing with this can be

-    Very agressive timeouts and intentionally delaying/increasing the
cost of
     the TCP setup - but you are in freebsd/solaris style kernel filters.

-    Very agressive timeouts generally - but you penalize the 14k4 modem
users.

-    Binning users after a while in such a group - but then you penalize
certain
     ISPs or NAT-blocks.

-    Not do much - but a graded response when you get resource tight; i.e.
     start prioritizing 'active' connections over slow ones. Either by
making the
     timeouts an exponentional function of the load or by some simple
binning
     (which is what we did in phase 2).

-    Hand off (too) inactive conncetions to something cheaper - this is
what
      we did in the final phase - using a single thread, select() loop
with fixed buffer
     footprint. However that used a solaris inter process 'file
descriptor passing'
     message - which I guess is out of vogue now.

Why? This is actually quite in vogue for security reasons :-)

And really - in this
day and
     age you propably want to tell your
switch/router/network-piece-of-kit/dog
     to move the TCP to another machine.

And I have no idea if there are any API's for this which are cross vendor.

-    Seriously rewrite apache/add a worker which mimics the
accept_filter.ko
     of freebsd somewhat in that it as a single threaded async select() loop
     which buffers things up until they are cooked enough (i.e. the
client has
     enough skin in the game) to hand off to a real worker.

Any more approaches possible ?

Dw