W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2011

Re: Denial of Service using invalid Content-Length header

From: Poul-Henning Kamp <phk@phk.freebsd.dk>
Date: Mon, 20 Jun 2011 17:03:32 +0000
To: Willy Tarreau <w@1wt.eu>
cc: Jan Starke <jan.starke@outofbed.org>, ietf-http-wg@w3.org
Message-ID: <30922.1308589412@critter.freebsd.dk>
In message <20110620163813.GA12762@1wt.eu>, Willy Tarreau writes:

>I would add that the *first* protection obviously is to have the
>server correctly implement timeouts, because if it is sensible to
>this attack, it's also sensible to simple client failure.

There is no possible timeout value which will both serve slow clients
in bad connectivity (iPhone4 ?) and prevent DoS attacks.

Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.
Received on Monday, 20 June 2011 17:04:05 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:13:52 UTC