Summary: | Fails to properly mitigate Slow Post DoS attack | ||
---|---|---|---|
Product: | Apache httpd-2 | Reporter: | zmaximz |
Component: | mod_reqtimeout | Assignee: | Apache HTTPD Bugs Mailing List <bugs> |
Status: | NEW --- | ||
Severity: | major | ||
Priority: | P2 | ||
Version: | 2.5-HEAD | ||
Target Milestone: | --- | ||
Hardware: | PC | ||
OS: | Linux |
Description
zmaximz
2014-07-20 17:13:25 UTC
http://httpd.apache.org/docs/2.4/mod/mod_reqtimeout.html The first and fourth examples in the manual use a maxtimeout on the body (if I'm understanding the syntax correctly). Net, if you want a maxtimeout, you have to configure one. Is it the manual you want updated? Or some default configuration? Or the way the module behaves if you load it and don't configure it at all? Do you have an argument for a reasonable (doesn't break normal clients) and effective (actual benefit to a client that reconnects) body maxtimeout? As I understand from the module's behavior, "timeout" refers to "time to first byte" of the header/body and "maxtimeout" refers to "time to last byte" of the header/body. "type=timeout-maxtimeout,MinRate=data_rate" What I believe that is missing is the "maxtimeout" for the body: RequestReadTimeout header=20-40,MinRate=500 body=20-40,MinRate=500 Instead of: RequestReadTimeout header=20-40,MinRate=500 body=20,MinRate=500 The missing "maxtimeout" for the body makes the described attack effective. I believe 40 seconds is a reasonable time for "maxtimeout". I think editing the example might be the first step, so future mod_reqtimeout users won't be vulnerable. Is there a common channel to inform all the distributions that ship with Apache httpd, so they could consider changing their default configuration? > I think editing the example might be the first step, so future > mod_reqtimeout users won't be vulnerable. Is what you're referring to as "the example" the text next to the word "Default" in the manual? The default is not an example, it's what you get by default when you don't use the directive. In other words, the compiled-in defaults for the module. Is that what you're lobbying for to be 40 seconds? As I said before, there are plenty of examples that use a timeout for the body. But the user has to select one. Please start a thread over on dev@httpd.apache.org if you want to discuss a change to the defaults in the 2.4 or 2.2 maintenance stream -- I am personally not in favor, but that is the proper place for discussion. > Is there a common channel to inform all the distributions that ship with > Apache httpd, so they could consider changing their default configuration? Not really. |