[web-devel] questions about ResponseEnumerator

Kazu Yamamoto ( 山本和彦 ) kazu at iij.ad.jp
Mon Oct 24 04:50:01 CEST 2011


> Apache is considered vulnerable to slowloris because it has a limited thread
> pool. Nginx is not considered vulnerable to slowloris because it uses an
> evented architecture and by default drops connections after 60 seconds that
> have not been completed. Technically we say our Haskell web servers are using
> threads, but they are managed by a very fast evented system. So we can hold
> many unused connections open like Nginx and should not be vulnerable if we
> have a timeout that cannot be tickled. This could make for an interesting
> benchmark - how many slowloris connections can we take on? The code from Kazu
> makes just one connection - it does not demonstrate a successful slowloris
> attack, just one successful slowloris connection.

I you want, I create a code to do real slowloris attack to consume the
file descriptors of a server. It's quite easy.

> If we limit the number of connections per ip address, that means a slowloris
> attack will require the coordination of thousands of nodes and make it highly
> impractical. 

If we pay money, we can use a *botnet* to do this. This actually
happens in the real world. But I don't think a bad guy targets your
web server.


More information about the web-devel mailing list