trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Reindl Harald <h.rei...@thelounge.net>
Subject DOS-Protection: RequestReadTimeout-like option missing
Date Sat, 11 May 2013 13:08:41 GMT
Hi

http://httpd.apache.org/docs/2.4/mod/mod_reqtimeout.html
i am missing such a option for Trafficserver
this would mitigate a lot of Slowloris-like DOS-attacks

<IfModule mod_reqtimeout.c>
 RequestReadTimeout "header=10-15,MinRate=500"
</IfModule>
____________________________________________________

the same request as below is terminated by httpd after 10 seconds
while Trafficserver waits "no_activity_timeout" to close it

CONFIG proxy.config.http.transaction_no_activity_timeout_in INT 60

is in no way compareable, because if you lower this to 10 seconds
you kill any request targeted to a longer running PHP script on
the origin server what happens application and load-dependent

httpd does even not terminate the following script with
"Timeout 30" and "RequestReadTimeout" with setting above

<?php
 sleep(90);
 echo 'TEST';
?>
____________________________________________________

[harry@srv-rhsoft:~/Desktop]$ ./timeout.sh
Sa 11. Mai 14:50:43 CEST 2013
Trying 10.0.0.4...
Connected to proxy.
Escape character is '^]'.
GET / HTTP/1.1
Connection closed by foreign host.
Sa 11. Mai 14:51:46 CEST 2013

[harry@srv-rhsoft:~/Desktop]$ ./timeout.sh
Sa 11. Mai 15:00:37 CEST 2013
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET / HTTP/1.1
HTTP/1.1 408 Request Timeout
Server: Apache
Content-Length: 545
Connection: close
Content-Type: text/html; charset=iso-8859-1
Connection closed by foreign host.
Sa 11. Mai 15:00:48 CEST 2013
____________________________________________________

that is the test-script
after call it simply paste "GET / HTTP/1.1" in the telnet
session and press enter and look how long timeout takes

[harry@srv-rhsoft:~/Desktop]$ cat timeout.sh
#!/bin/bash
date
telnet localhost 80
date


Mime
View raw message