A Denial of Service (DoS) attack has been hitting many servers that takes advantage of this single all-encompassing Timeout. This DoS attack starts by opening many connections to a web server, then leaving said connections open without making any request. The web server will wait until the Timeout has elapsed before closing the connections. In the meantime, so many new server instances have been started that the MaxServer limit can be reached very quickly, thereby denying any new (possibly legitimate) connections.
The problem is exacerbated since the Timeout is usually set to a high number of seconds, in the 300 (5 minutes) to 1200 (20 minutes) range. In this scenario, the above "null" connections would take up to 20 minutes to time out.
Apache badly needs distinct timeout values for transmissions and receptions. The patch below does this by adding a new "RecvTimeout" directive, allowing a much smaller timeout to be specified for receptions. The older "Timeout" value is primarily used for transmissions, although a few reception cases are still governed by it. The most significant use of the "RecvTimeout" is for the initial "GET" request issued by a client.
This will cause any incoming request to timeout if not completed within 5 seconds. This will cause the above "null" connections to timeout very quickly, thereby significantly reducing the number of wasted waiting server instances.
This patch has been submitted to the Apache Development team on 2001/09/20 (for 1.3.20), and again on 2002/01/26 (for 1.3.23). Hopefully it will be incorporated into an upcoming release. (There may be an acceptance issue relating to the changes this patch makes to the server_rec structure.)
> I saw your RecvTimeout patch for apache 1.3 and I could really use it. > However, I'm running apache 2.0. Do you happen to have a patch or solution > for apache 2.0?Apache 2.0 was supposed to have multiple tunable timeouts, and hence make my patch is obsolete, but they never actually got around to implementing that.
Their docs for the Timeout directive still say:
"We plan on making these separately configurable at some point down the road. The timer used to default to 1200 before 1.2, but has been lowered to 300 which is still far more than necessary in most situations. It is not set any lower by default because there may still be odd places in the code where the timer is not reset when a packet is sent."
I have not made a port of my patch for Apache 2.0, partly due to time constraints, and it really wasn't all that useful. While a 10 second receive timeout was nice to keep DoS'ers at bay, it came to light that is was really breaking things for slow dial-up user posting large forms or uploading files. In the end, there was no good trade-off between the two, and so I just stick with the default Timeout directive in Apache 2.0.
Of course, if you want to have a go of forward-porting the patch (or re-doing it from scratch), be my guest.
|This page last modified on 2005-03-16 16:13:34.|