From owner-freebsd-net  Wed Aug  8  0:11:56 2001
Delivered-To: freebsd-net@freebsd.org
Received: from elvis.mu.org (elvis.mu.org [216.33.66.196])
	by hub.freebsd.org (Postfix) with ESMTP id E845437B405
	for <freebsd-net@freebsd.org>; Wed,  8 Aug 2001 00:11:54 -0700 (PDT)
	(envelope-from billf@elvis.mu.org)
Received: by elvis.mu.org (Postfix, from userid 1098)
	id 9FF0C81D01; Wed,  8 Aug 2001 02:11:44 -0500 (CDT)
Date: Wed, 8 Aug 2001 02:11:44 -0500
From: Bill Fumerola <billf@mu.org>
To: David Xu <bsddiy@163.net>
Cc: Christopher Ellwood <chris+freebsd-net@silicon.net>,
	freebsd-net@freebsd.org
Subject: Re: Problem with Code Red II and HTTP Accept Filtering
Message-ID: <20010808021144.D2759@elvis.mu.org>
References: <20010807213844.N672-100000@diamond> <004401c11fc9$25a08950$6201a8c0@William>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <004401c11fc9$25a08950$6201a8c0@William>; from bsddiy@163.net on Wed, Aug 08, 2001 at 01:15:31PM +0800
X-Operating-System: FreeBSD 4.3-FEARSOME-20010712 i386
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org

On Wed, Aug 08, 2001 at 01:15:31PM +0800, David Xu wrote:
> my opinion is don't use accept filter, it can become DOS attack target.
> sending a big http header and don't complete it,  it does not let apache know a connection 
> is already made and there is no timeout counter like which in Apache server.
> using an accept filter can not get so much benifit.

you don't run high performance, high load web servers.  if you did, you
might actually understand the problem (spending too many cycles checking
for connections v. actually dealing with the connections).

there most certainly is a timeout counter, its the same one the rest of
the connections in the listen queue use. if you feel that there are
deficiencies in the listen queue drop methods (see sodropablereq()) then
feel free to submit a patch or two.

if you feel that the http accept filter is too heavy handed an approach,
you may also use the data-ready accept filter (assuming you actually have
a webserver and this isn't actually another troll).

-- 
Bill Fumerola / billf@FreeBSD.org

 

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message