keepalive_timeout 1 1 & client_body_buffer_size question

David Taveras d3taveras38d3 at
Wed Mar 10 01:39:30 MSK 2010


Iam replying to myself.

keep_alive timeout does not matter in a slowloris attack because there
is also a keepalive_requests  which is the Number of requests which
can be made over a keep-alive connection. So it would be conservative
to allow a 5 5 second.. as at the end if somebody would abuse that it
would not matter after 100.

Could anybody give me feedback on the client_body_buffer_size purpose/testing ??



On Mon, Mar 8, 2010 at 4:51 PM, David Taveras <d3taveras38d3 at> wrote:
> Hello,
> Iam currently exploring the following directives
> First
> keepalive_timeout 1 1 ... Suppose Iam getting a slowloris attack, I
> think this is a great parameter to reduce in such case. Would normal
> browser simply reopen a connection if they could not work on that low
> keep alive timeout? How would browsers react aside probably if they
> are behind a slow connection it would cause them to send a new
> connection for each request?
> Second..
> I have been told that setting a low (1k) client_body_buffer_size is
> suitable to protect against buffer overflows. However Iam reading that
> any body buffer size greater then that will simply be written to the
> disk. What exactly is the advantage here? How would I be able to test
> this parameter from the outside?
> (To be honest I dont know what a client body buffer size is.. tried
> google but that didnt help much)
> David

More information about the nginx mailing list