Date: Fri, 1 Sep 2000 07:44:39 +0000 From: Tony Finch <dot@dotat.at> To: Alfred Perlstein <bright@wintelcom.net> Cc: Steve Lewis <nepolon@systray.com>, "James E. Pace" <jepace@pobox.com>, freebsd-questions@FreeBSD.ORG Subject: Re: Scaling Apache? Message-ID: <20000901074439.A515@hand.dotat.at> In-Reply-To: <20000831183454.E18862@fw.wintelcom.net> References: <20000828114314.Y1209@fw.wintelcom.net> <Pine.BSF.4.05.10008281156450.22201-100000@greg.ad9.com> <20000828115822.A1209@fw.wintelcom.net> <20000831013646.C25064@hand.dotat.at> <20000830190849.B18862@fw.wintelcom.net> <20000831033930.D25064@hand.dotat.at> <20000831183454.E18862@fw.wintelcom.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Alfred Perlstein <bright@wintelcom.net> wrote: >Tony Finch <dot@dotat.at> wrote: >>Alfred Perlstein <bright@wintelcom.net> wrote: >>> >>>May I make two suggestions: >>>1) just issue a warning and continue on if the filter isn't available >> >> I decided to just continue and not issue a warning because in the >> usual case accept filters aren't required and they can cause trouble >> (greater vulnerability to DOS attacks). If the user is sufficiently >> interested in them they'll find out about it from the release notes >> and performance tuning documentation. > >This is complete bullshit, people need to actually read the code >before making blanket statements like this. What, the thing about DOS attacks? I did read and try out the code, which is where the concern came from. >>>2) allow a runtime/compiletime option to use the 'httpready' module >>> as it offers substantial benifits over dataready. >> >> There's already a compile time option. > >runtime would be nicer. Yes, but since 1.3 is approaching the end of it's life we don't want big patches. The problem I see (as I mentioned in a previos message) is that an un-accepted connection doesn't seem to have a time-out or any limit (less than the socket buffer) on the amount of kernel memory that can be used to store incomplete HTTP headers. Therefore an attacker can quite easily use up all the available mbufs (especially with the httpready filter). Apache's more conservative timeouts and memory limits don't get a chance to work because it doesn't know about the connection. I probably missed something so I'd really like to know what I overlooked. Tony. -- en oeccget g mtcaa f.a.n.finch v spdlkishrhtewe y dot@dotat.at eatp o v eiti i d. fanf@covalent.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000901074439.A515>