- From: Willy Tarreau <w@1wt.eu>
- Date: Thu, 21 Feb 2013 08:29:17 +0100
- To: Mark Nottingham <mnot@mnot.net>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
On Thu, Feb 21, 2013 at 06:21:02PM +1100, Mark Nottingham wrote: > > On 21/02/2013, at 6:06 PM, Willy Tarreau <w@1wt.eu> wrote: > > > That's a great test, thanks for reporting this ! > > I think that some experiments may be pursued using : > > - valid, known methods and versions (eg: POST * HTTP/1.1) > > - Connection header > > > > I suspect that POST will be blocked on a large number of minimal web > > servers (the least compliant ones), add to that "*" which will most > > often not be accepted, and HTTP/1.1 without a Host header field might > > help getting a quick fail. At this point, I don't know if a Connection > > header could help or not (typically Upgrade). > > Hm. POST has a body, so some might try to buffer it, hanging. Anyway, that's a theory; let's look at the numbers: > > POST * HTTP/1.1\r\n\r\n > 27607 CLOSE > 232 CONN_ERR > 7309 TIMEOUT > > Yep, not as good. Indeedr, thanks! Do you know if the ones which timeout in your tests respond to anything ? And if so, maybe we'll find some patterns (eg: just a few very specific implementations) that are worth studying ? It's also possible that those are blocked by IDS/IPS in front of them simply dropping packets, at which point trying completely valid requests might help. Willy
Received on Thursday, 21 February 2013 07:29:45 UTC