[Ur] few security patches

Sergey Mironov grrwlf at gmail.com
Sat Sep 6 10:48:58 EDT 2014


2014-09-06 18:02 GMT+04:00 Adam Chlipala <adamc at csail.mit.edu>:
> On 09/06/2014 05:49 AM, Sergey Mironov wrote:
>> 4_of_4_Introduce_recv_timeout_controlled_by___T__option_in_http_c.patch
> It seems like an OK idea to include this style of timeout, but:
> 1) The approach still seems naive.  The attacker can instead send one byte
> every few seconds and do a lot of damage!
> 2) I've been assuming serious deployments will be behind popular HTTP
> servers like Apache, using FastCGI to connect to Ur/Web apps, so that the
> security measures of those HTTP servers are applied "for free".

Agree. Probably, I shouldn't call this patch 'a DDoS protection'. I
did face a timeout problem while running http.c-based application in
the Internet. I think it was something like mad or broken internet
scanner rather than a _real_ attack, but it was able to mute the
application. The timeout patch seems to add some amount of resistance
so the application became stable in neutral environment. To protect it
against hostile clients one really should use special tools.

Regards,
Sergey



More information about the Ur mailing list