- From: Cullen Jennings <fluffy@cisco.com>
- Date: Tue, 13 Dec 2005 16:00:23 -0800
- To: Lisa Dusseault <lisa@osafoundation.org>, Julian Reschke <julian.reschke@gmx.de>
- CC: WebDav <w3c-dist-auth@w3.org>
On 12/1/05 10:58 AM, "Lisa Dusseault" <lisa@osafoundation.org> wrote: >> We discussed this during the conference call: 5xx is a server error, >> in particular 503 means "not now but maybe later". If a server detects >> a DOS attack, that's the last thing it would want to tell the client. Hmm, there might be some places you want this. This is not a Chair comment - just take it as a random individual comment. Imagine you had say 40,000 phones that all got their config information over DAV in some enterprise. And when the building power cycles, they all go and hit the server at the same time. I call this a Start of Service attack (SOS) but it is a lot like DDOS from server point of view. Some other protocols have found that returning a 5xx with a Retry-After time is very useful here. The retry time can be adjusted based on the depth of the queue in the server and the length of time the server has been in an overload state to push out the retries out to a point where the server has a chance of processing them instead of just sending the 503. The load balancer can realize the servers are overloaded and switch traffic to servers that can send the 503 at extremely high rates. There are also systems build to deal with very large DDOS attacks that do things like the following. Imagine that an ISP has a client with server with address X. The server tells the ISP that the server is under DDOS attack. The ISP has a system that "steals" address X and routes all traffic to that system. The first thing it does with any request is does some bounce back, such as a 503 with a retry after 0 seconds, if the client retries again, at least the client is doing some work. This often help differentiate good clients from DDOS attackers. Then the ISP system forwards the request down the original server but keeps track of where the requests are coming from. Now the ISP can see that 90% of the request are coming into it's network from one particular other AS. The ISP can rate limit down the request from the one AS at the edge of ISP and it can allow the other request from all the other AS to not be rate limited. This allows valid clients that are coming from different AS to not be effected, and clients in the same AS as attacker to be severely rate limited. It takes advantage of the 5xx to verify that there is a valid client at the sender of a request. This approach has been used to stop some very large scale DDOS attacks on large web sites. It works well for HTTP. Anyways, other protocols have found 5xx with Retry-After one of the best way to handle temporarily overload on the servers. I agree, if you know something is a DOS attack, the best thing might be not to respond but it is very difficult to distinguish which particular request during a DDOS attack is a bad one and which is good. Cullen (not as chair)
Received on Wednesday, 14 December 2005 00:00:36 UTC