[Ur] few security patches
Adam Chlipala
adamc at csail.mit.edu
Sat Sep 6 10:02:25 EDT 2014
On 09/06/2014 05:49 AM, Sergey Mironov wrote:
> Hi. Let me post a few more patches dealing with security.
Thanks! They're all pushed to the main repo now.
> 4_of_4_Introduce_recv_timeout_controlled_by___T__option_in_http_c.patch
>
> The most important one: I found that http.c-based applications suffer
> from a kind of DDoS attacks where attacker opens connections to the
> application, but sends no data. As soon as all threads block in their
> [recv]s, application stops answering requests. This patch helps to
> protect the application by setting up a timeout for recv and an option
> to control it.
It seems like an OK idea to include this style of timeout, but:
1) The approach still seems naive. The attacker can instead send one
byte every few seconds and do a lot of damage!
2) I've been assuming serious deployments will be behind popular HTTP
servers like Apache, using FastCGI to connect to Ur/Web apps, so that
the security measures of those HTTP servers are applied "for free".
More information about the Ur
mailing list