From owner-freebsd-questions  Fri Sep  1  0:44:57 2000
Delivered-To: freebsd-questions@freebsd.org
Received: from hand.dotat.at (dhcp.207.44.198.57.salon.com [207.44.198.57])
	by hub.freebsd.org (Postfix) with ESMTP id 5590B37B42C
	for <freebsd-questions@freebsd.org>; Fri,  1 Sep 2000 00:44:53 -0700 (PDT)
Received: from fanf by hand.dotat.at with local (Exim 3.15 #3)
	id 13UlV9-0000D7-00; Fri, 01 Sep 2000 07:44:39 +0000
Date: Fri, 1 Sep 2000 07:44:39 +0000
From: Tony Finch <dot@dotat.at>
To: Alfred Perlstein <bright@wintelcom.net>
Cc: Steve Lewis <nepolon@systray.com>,
	"James E. Pace" <jepace@pobox.com>, freebsd-questions@FreeBSD.ORG
Subject: Re: Scaling Apache?
Message-ID: <20000901074439.A515@hand.dotat.at>
References: <20000828114314.Y1209@fw.wintelcom.net> <Pine.BSF.4.05.10008281156450.22201-100000@greg.ad9.com> <20000828115822.A1209@fw.wintelcom.net> <20000831013646.C25064@hand.dotat.at> <20000830190849.B18862@fw.wintelcom.net> <20000831033930.D25064@hand.dotat.at> <20000831183454.E18862@fw.wintelcom.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2i
In-Reply-To: <20000831183454.E18862@fw.wintelcom.net>
Organization: Covalent Technologies, Inc
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

Alfred Perlstein <bright@wintelcom.net> wrote:
>Tony Finch <dot@dotat.at> wrote:
>>Alfred Perlstein <bright@wintelcom.net> wrote:
>>>
>>>May I make two suggestions:
>>>1) just issue a warning and continue on if the filter isn't available
>> 
>> I decided to just continue and not issue a warning because in the
>> usual case accept filters aren't required and they can cause trouble
>> (greater vulnerability to DOS attacks). If the user is sufficiently
>> interested in them they'll find out about it from the release notes
>> and performance tuning documentation.
>
>This is complete bullshit, people need to actually read the code
>before making blanket statements like this.

What, the thing about DOS attacks? I did read and try out the code,
which is where the concern came from.

>>>2) allow a runtime/compiletime option to use the 'httpready' module
>>>   as it offers substantial benifits over dataready.
>> 
>> There's already a compile time option.
>
>runtime would be nicer.

Yes, but since 1.3 is approaching the end of it's life we don't want
big patches.

The problem I see (as I mentioned in a previos message) is that an
un-accepted connection doesn't seem to have a time-out or any limit
(less than the socket buffer) on the amount of kernel memory that can
be used to store incomplete HTTP headers. Therefore an attacker can
quite easily use up all the available mbufs (especially with the
httpready filter). Apache's more conservative timeouts and memory
limits don't get a chance to work because it doesn't know about the
connection.

I probably missed something so I'd really like to know what I
overlooked.

Tony.
-- 
en oeccget g mtcaa    f.a.n.finch
v spdlkishrhtewe y    dot@dotat.at
eatp o v eiti i d.    fanf@covalent.net


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message