From owner-freebsd-questions@FreeBSD.ORG Tue Jun 23 15:23:28 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CC8D9106566C for ; Tue, 23 Jun 2009 15:23:28 +0000 (UTC) (envelope-from freebsd-listen@fabiankeil.de) Received: from smtprelay04.ispgateway.de (smtprelay04.ispgateway.de [80.67.31.27]) by mx1.freebsd.org (Postfix) with ESMTP id 863AD8FC15 for ; Tue, 23 Jun 2009 15:23:28 +0000 (UTC) (envelope-from freebsd-listen@fabiankeil.de) Received: from [62.143.132.243] (helo=localhost) by smtprelay04.ispgateway.de with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.68) (envelope-from ) id 1MJ7pe-0007c6-VA for freebsd-questions@freebsd.org; Tue, 23 Jun 2009 17:22:47 +0200 Date: Tue, 23 Jun 2009 17:23:19 +0200 From: Fabian Keil To: freebsd-questions@freebsd.org Message-ID: <20090623172319.1343511f@fabiankeil.de> In-Reply-To: <20090623083930.GA90810@ei.bzerk.org> References: <20090622112607.GA80249@ei.bzerk.org> <200906220845.23920.npapke@acm.org> <20090622171516.GA82862@ei.bzerk.org> <20090622223556.GC76275@dan.emsphone.com> <20090623083930.GA90810@ei.bzerk.org> X-Mailer: Claws Mail 3.7.1 (GTK+ 2.16.2; i386-portbld-freebsd8.0) X-PGP-KEY-URL: http://www.fabiankeil.de/gpg-keys/freebsd-listen-2008-08-18.asc Mime-Version: 1.0 Content-Type: multipart/signed; micalg=PGP-SHA1; boundary="Sig_/qMBlAkfBuA4_ukwJjgudjjk"; protocol="application/pgp-signature" X-Df-Sender: 775067 Subject: Re: slowloris, accf_http and POST requests X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Jun 2009 15:23:29 -0000 --Sig_/qMBlAkfBuA4_ukwJjgudjjk Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Ruben de Groot wrote: > On Mon, Jun 22, 2009 at 05:35:56PM -0500, Dan Nelson typed: > > In the last episode (Jun 22), Ruben de Groot said: > > >=20 > > > My main concern here is if applying the trivial patch I posted would > > > break anything in the http protocol layer. And if not, why isn't the > > > POST method included in the http accept filter in the first place? > >=20 > > The filter wasn't designed to be an anti-DOS tool; it was an > > optimization to save some context switches at the beginning of every > > request. POSTs are >=20 > I know this. But in this particular case, it *works* as an anti-DOS > tool. And a pretty good one too. How did you verify this? accf_http doesn't require a complete request but will also pass the connection to the userland if its buffer is full. If you continue to send headers that will happen eventually and if you're impatient, you simply have to send a bit more headers at the beginning to reach the application faster. Fabian --Sig_/qMBlAkfBuA4_ukwJjgudjjk Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (FreeBSD) iEYEARECAAYFAkpA820ACgkQBYqIVf93VJ3EXQCglvhlrRjy0P7uBLX4PmkaEoov VkoAnjB9xZBfpKHElLdvI1+2HFv8pVHJ =3Ibq -----END PGP SIGNATURE----- --Sig_/qMBlAkfBuA4_ukwJjgudjjk--