Re: Denial of Service using invalid Content-Length header

In message <>, Willy Tarreau writes:

>I would add that the *first* protection obviously is to have the
>server correctly implement timeouts, because if it is sensible to
>this attack, it's also sensible to simple client failure.

There is no possible timeout value which will both serve slow clients
in bad connectivity (iPhone4 ?) and prevent DoS attacks.

Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.

Received on Monday, 20 June 2011 17:04:05 UTC