Also, I compared the same test with the following: - Django dev server: Silly test I know, but the fact that the django dev server doesn't use keep alive connections, and closes the connection as soon as a response is given, the attack files.
- IIS with ASP.NET (C#) application, behind the same kind of AWS load balancer: The attack fails even with 4096 connections, although IIS uses a threaded processing model similar to the apache one, I'm not sure why the attack fails without any further defense, probably because IIS allows 5000 concurrent requests per CPU and has a better way to handle this kind requests, but the site never stopped accepting and processing regular requests even with 4000 concurrent slow requests (can't go above this with my own machine). Makes me a bit sad apache is so vulnerable to this kind of attack, compared to microsoft's IIS for example, although the comparisson is probably not fair at all. -- You received this message because you are subscribed to the Google Groups "modwsgi" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/modwsgi. For more options, visit https://groups.google.com/d/optout.
