[Haskell] Re: [Haskell-cafe] ANNOUNCE: enumerator, an alternative
iteratee package
John Millikin
jmillikin at gmail.com
Fri Aug 20 17:32:13 EDT 2010
On Fri, Aug 20, 2010 at 12:52, Magnus Therning <magnus at therning.org> wrote:
> You don't need to send that much data, the current implementation of
> Enumerator uses hGet, which blocks, so just send the server a few bytes and
> it'll be sitting there waiting for input until it times out (if ever).
> Open a
> few hundred of those connections and you're likely to cause the server
> to run
> out of FDs. Of course this is already coded up in tools like
> slowloris[1] :-)
Correct me if I'm wrong, but I'm pretty sure changing the
implementation to something non-blocking like hGetNonBlocking will not
fix this. Hooking up an iteratee to an enumerator which doesn't block
will cause it to loop forever, which is arguably worse than simply
blocking.
The best way I can think of to defeat a handle-exhaustion attack is to
enforce a timeout on HTTP header parsing, using something like
System.Timeout. This protects against slowloris, since requiring the
entire header to be parsed within some fixed small period of time
prevents the socket from being held open via slowly-trickled headers.
More information about the Haskell-Cafe
mailing list