DoS attack in the wild

Cliff Wells cliff at develix.com
Fri Jun 19 23:31:17 MSD 2009


On Fri, 2009-06-19 at 22:09 +0300, luben karavelov wrote:
> luben karavelov wrote:
> > A DoS attack against number of http servers is available and has hit 
> > slashdot today: 
> > http://it.slashdot.org/story/09/06/19/1243203/Attack-On-a-Significant-Flaw-In-Apache-Released 
> > 
> > 
> > Out of the box nginx is also vulnerable (I have tested it on latest 0.7 
> > installation). A quick fix for the vulnerability follows:
> > 
> > Put in "http" section:
> > 
> > client_body_timeout 10;
> > client_header_timeout 10;
> > keepalive_timeout 10;
> > send_timeout 10;
> > limit_zone limit_per_ip $binary_remote_addr 1m;
> > 
> > and put in "server" section :
> > 
> > limit_conn limit_per 16;
> > 
> > The last 2 configuration lines are for limiting connections per client 
> > IP. This fist lines are same sane connection timeouts.
> > 
> > Best regards and keep the great work!
> > 
> 
> If you process some large uploads or the page generation gets over 10 
> seconds you could raise the timeouts. Actually the fix is the last 
> lines: limiting the connection number per client IP

This will probably also cause issues where a large number of clients are
behind a single NAT firewall, such as a corporate portal.   

I don't think such an attack can be prevented at any single level.
Although such measures might help in some cases, I think we should be
wary of presenting them as a universal solution.

Regards,
Cliff

-- 
http://www.google.com/search?q=vonage+sucks






More information about the nginx mailing list