Re: Denial of Service using invalid Content-Length header

On Mon, Jun 20, 2011 at 09:41:10PM +0000, Poul-Henning Kamp wrote:
> In message <20110620211911.GL2897@1wt.eu>, Willy Tarreau writes:
> >On Mon, Jun 20, 2011 at 05:03:32PM +0000, Poul-Henning Kamp wrote:
> 
> >> There is no possible timeout value which will both serve slow clients
> >> in bad connectivity (iPhone4 ?) and prevent DoS attacks.
> >
> >Yes in practice you can because even with bad connectivity you're generally
> >interested by covering holes as large as 30-60 seconds, 
> 
> Well your sever may not crash, but it does not serve legitimate
> traffic either.

I'm sorry, I don't see your point. Why are you saying that the server does
not serve legitimate traffic ? It will only break the dead connection but
still serve all other ones well, that's the point of timeouts.

Also that's why some protocols with very long sessions implement an
application-level keep-alive (eg: SSH). That way it's possible to have
reasonable timeouts (eg. twice the keep-alive interval) without keeping
dead connections forever.

Willy

Received on Monday, 20 June 2011 21:56:36 UTC