- From: Yves Lafon <ylafon@w3.org>
- Date: Mon, 13 Oct 2008 08:12:18 -0400 (EDT)
- To: Stefanos Harhalakis <v13@v13.gr>
- cc: Julian Reschke <julian.reschke@gmx.de>, ietf-http-wg@w3.org
On Sun, 12 Oct 2008, Stefanos Harhalakis wrote:
>> I agree that this is a nice DOS scenario, but wouldn't it be possible to
>> do the same just with a bunch of concurrent, repeating GET requests on
>> the same URI?
>
> Indeed, repeated GET requests will have the same result but they will be a bit
> less robust. For every repeated request that the client side transmits there
> is a (not so small) possibility of the request being lost. If this problem is
> of size X then it is practically multiplied by the number of repeated ranges
> that the client side may request.
Some servers are limiting the number of requests per connections (in
pipelining mode or not), others try to detect abuse on the whole server,
both are counter-measures not present in the HTTP RFC but part of
implementation experience.
In the same vein, refusing overlapping range request that would be bigger
than exporting the whole document (and serving the document instead) seems
to be a sane implementation choice, but the spec shouldn't cover all those
corner cases, IMHO.
--
Baroula que barouleras, au tiéu toujou t'entourneras.
~~Yves
Received on Monday, 13 October 2008 12:12:53 UTC