W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2011

Re: Denial of Service using invalid Content-Length header

From: Willy Tarreau <w@1wt.eu>
Date: Mon, 20 Jun 2011 23:56:03 +0200
To: Poul-Henning Kamp <phk@phk.freebsd.dk>
Cc: Jan Starke <jan.starke@outofbed.org>, ietf-http-wg@w3.org
Message-ID: <20110620215603.GP2897@1wt.eu>
On Mon, Jun 20, 2011 at 09:41:10PM +0000, Poul-Henning Kamp wrote:
> In message <20110620211911.GL2897@1wt.eu>, Willy Tarreau writes:
> >On Mon, Jun 20, 2011 at 05:03:32PM +0000, Poul-Henning Kamp wrote:
> 
> >> There is no possible timeout value which will both serve slow clients
> >> in bad connectivity (iPhone4 ?) and prevent DoS attacks.
> >
> >Yes in practice you can because even with bad connectivity you're generally
> >interested by covering holes as large as 30-60 seconds, 
> 
> Well your sever may not crash, but it does not serve legitimate
> traffic either.

I'm sorry, I don't see your point. Why are you saying that the server does
not serve legitimate traffic ? It will only break the dead connection but
still serve all other ones well, that's the point of timeouts.

Also that's why some protocols with very long sessions implement an
application-level keep-alive (eg: SSH). That way it's possible to have
reasonable timeouts (eg. twice the keep-alive interval) without keeping
dead connections forever.

Willy
Received on Monday, 20 June 2011 21:56:36 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:41 GMT