Date: Wed, 8 Aug 2001 02:11:44 -0500 From: Bill Fumerola <billf@mu.org> To: David Xu <bsddiy@163.net> Cc: Christopher Ellwood <chris+freebsd-net@silicon.net>, freebsd-net@freebsd.org Subject: Re: Problem with Code Red II and HTTP Accept Filtering Message-ID: <20010808021144.D2759@elvis.mu.org> In-Reply-To: <004401c11fc9$25a08950$6201a8c0@William>; from bsddiy@163.net on Wed, Aug 08, 2001 at 01:15:31PM %2B0800 References: <20010807213844.N672-100000@diamond> <004401c11fc9$25a08950$6201a8c0@William>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Aug 08, 2001 at 01:15:31PM +0800, David Xu wrote: > my opinion is don't use accept filter, it can become DOS attack target. > sending a big http header and don't complete it, it does not let apache know a connection > is already made and there is no timeout counter like which in Apache server. > using an accept filter can not get so much benifit. you don't run high performance, high load web servers. if you did, you might actually understand the problem (spending too many cycles checking for connections v. actually dealing with the connections). there most certainly is a timeout counter, its the same one the rest of the connections in the listen queue use. if you feel that there are deficiencies in the listen queue drop methods (see sodropablereq()) then feel free to submit a patch or two. if you feel that the http accept filter is too heavy handed an approach, you may also use the data-ready accept filter (assuming you actually have a webserver and this isn't actually another troll). -- Bill Fumerola / billf@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010808021144.D2759>