On Mon, Jan 30, 2012 at 03:56:52PM +0100, Nouha Terzi wrote: > Hi, > > As suggested here: > https://community.qualys.com/blogs/securitylabs/2011/11/02/how-to-protect-against-slow-http-attacks > Modifying those directives can protect against slow HTTP attacks and make > the attacks more difficult to execute: > > - LimitRequestFields > - LimitRequestFieldSize > - LimitRequestBody > - LimitRequestLine > - LimitXMLRequestBody > - TimeOut > - KeepAliveTimeOut > - ListenBackLog’s > - MaxRequestWorkers > - AcceptFilter > > Does someone already configured a svn apache server to handle slow http > attacks? > Is there any known impact of theses apache directives? > > Thank you in advance.
I wouldn't recommend changing any of these from the defaults, unless you are 100% sure that there is a real threat to your server because of the default value of one or more of these options. Have you actually had the problem described in the blog post? Keep in mind that this is a blog. Have you already checked the official Apache HTTPD documentation? Maybe it discusses the implications of changing the default values. >From the options in this list, KeepAliveTimeOut is probably most relevant to Subversion. If you set this too low Subversion clients will have problems with dropped connections during checkout and update operations. Subversion clients sometimes need to do some amount of local processing (such as copying a temporary file) before they will send another request. If the server has dropped the connection before the local operation has finished the client will error out. I have no idea how you could distinguish between a Subversion client doing some local processing and a malicious client that sends some requests and then waits in order try a "slow HTTP attack" as described in the blog post. I would say don't worry about this unless you can prove that somebody is using this strategy to deny access to your server.
