Given some incentive after deep consideration of the slowloris claims.
While I still do not believe Squid is vulnerable per-se and some people
tested and found no such failures as claimed.
We could provide better administrative controls. This is one such that
has been asked about many times and still does not exist.
Its tested immediately after accept() and is request type agnostic,
right down to DNS TCP links, so care is warranted in hierarchy situations.
Utilizes the client DB to monitor accepted TCP links. Operates prior to
everything so as to eliminate resource usage on the blocking case and
close the windows of opportunity for dribble-attacks etc.
Default is to keep the status-quo of no limits.
After some discussion with Robert on IRC, we came to the agreement that
prior to receiving the headers there is nothing Squid can do except a
per-IP barrier. And post receiving headers it's to hard to tell the
difference between a genuine slow request and an attack, so should not
care and pass the request anyway.
This limit controls the first case, ACLs already control the second.
Amos
This archive was generated by hypermail 2.2.0 : Sat Jun 27 2009 - 12:00:04 MDT