On Thu, 14 Aug 2014 09:52:44 +0100
Dimitris Papastamos <dp_AT_spl9.org> wrote:
> One thing that needs to be fixed in the current model
> is to timeout existing connections that we have received no
> data from in a time interval.
>
> So consider the following:
>
> for i in $(seq 1 1000); do
> nc 127.0.0.1 &
> done
>
> This will create 1000 processes on the server, all of them
> blocked on a read().
Exactly!
This opens a security-hole for DDoS-attacks in which the attacker just
sends a non-terminated header.
Setting a timeout with setsockopt is trivial though and it worked well
when I tested it.
Cheers
FRIGN
--
FRIGN <dev_AT_frign.de>
Received on Thu Aug 14 2014 - 11:03:31 CEST