From 4f46f35697f07f916dafb64e99e2b59fa267500b Mon Sep 17 00:00:00 2001
From: Joshua Slive <slive@apache.org>
Date: Tue, 17 Jan 2006 16:01:56 +0000
Subject: [PATCH] Take a stab at documenting how we respond to DoS issues.
 Please review!

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@369825 13f79535-47bb-0310-9956-ffa450edef68
---
 docs/manual/misc/security_tips.html.en | 54 ++++++++++++++++++++++++
 docs/manual/misc/security_tips.xml     | 57 ++++++++++++++++++++++++++
 2 files changed, 111 insertions(+)

diff --git a/docs/manual/misc/security_tips.html.en b/docs/manual/misc/security_tips.html.en
index 6786a37210c..531441e5485 100644
--- a/docs/manual/misc/security_tips.html.en
+++ b/docs/manual/misc/security_tips.html.en
@@ -26,6 +26,7 @@
     Some of the suggestions will be general, others specific to Apache.</p>
   </div>
 <div id="quickview"><ul id="toc"><li><img alt="" src="../images/down.gif" /> <a href="#uptodate">Keep up to Date</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#dos">Denial of Service (DoS) attacks</a></li>
 <li><img alt="" src="../images/down.gif" /> <a href="#serverroot">Permissions on ServerRoot Directories</a></li>
 <li><img alt="" src="../images/down.gif" /> <a href="#ssi">Server Side Includes</a></li>
 <li><img alt="" src="../images/down.gif" /> <a href="#cgi">CGI in General</a></li>
@@ -59,6 +60,59 @@
 
   </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
 <div class="section">
+<h2><a name="dos" id="dos">Denial of Service (DoS) attacks</a></h2>
+
+    
+
+    <p>All network servers are subject to denial of service atacks
+    that attempt to prevent responses to clients by tying up the
+    resources of the server.  It is not possible to prevent such
+    attacks entirely, but you can do certain things to mitigate the
+    problems that they create.</p>
+
+    <p>Often the most effective anti-DoS tools will be a firewall or
+    other operating-system tools.  For example, most firewalls can be
+    configured to restrict the number of simultaneous connections from
+    any individual IP address or network, thus preventing a range of
+    simple attacks.</p>
+
+    <p>There are also certain Apache HTTP Server configuration
+    settings that can help mitigate problems:</p>
+
+    <ul>
+      <li>The <code class="directive"><a href="../mod/core.html#timeout">TimeOut</a></code> directive
+      should be lowered on sites that are subject to DoS attacks.
+      Setting this to as low as a few seconds may be appropriate.  See
+      also the <code class="directive"><a href="../mod/core.html#keepalivetimeout">KeepAliveTimeout</a></code>
+      directive and various timeout-related directives provided by
+      other modules.</li>
+
+      <li>On operating systems that support it, make sure that you use
+      the <code class="directive">AcceptFilter</code> directive
+      to offload part of the request processing to the operating
+      system.  This is active by default in Apache httpd, but may
+      require reconfiguration of your kernel.</li>
+
+      <li>Tune the <code class="directive"><a href="../mod/mpm_common.html#maxclients">MaxClients</a></code> directive to allow
+      the server to handle the maximum number of simultaneous
+      connections without running out of resources.  See also the <a href="perf-tuning.html">performance tuning
+      documentation</a>.</li>
+
+      <li>The use of a threaded <a href="../mpm.html">mpm</a> may
+      allow you to handle more simultaneous connections, thereby
+      mitigating DoS attacks.  Further, the <code class="module"><a href="../mod/event.html">event</a></code> mpm
+      uses asynchronous processing to avoid devoting a thread to each
+      connection.</li>
+
+      <li>There are a number of third-party modules available through
+      <a href="http://modules.apache.org/">http://modules.apache.org/</a>
+      that can restrict certain client behaviors and thereby mitigate
+      DoS problems.</li>
+     
+    </ul>
+
+  </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="section">
 <h2><a name="serverroot" id="serverroot">Permissions on ServerRoot Directories</a></h2>
   
     
diff --git a/docs/manual/misc/security_tips.xml b/docs/manual/misc/security_tips.xml
index 422d3317e20..5a777118724 100644
--- a/docs/manual/misc/security_tips.xml
+++ b/docs/manual/misc/security_tips.xml
@@ -52,6 +52,63 @@
 
   </section>
 
+  <section id="dos">
+
+    <title>Denial of Service (DoS) attacks</title>
+
+    <p>All network servers are subject to denial of service atacks
+    that attempt to prevent responses to clients by tying up the
+    resources of the server.  It is not possible to prevent such
+    attacks entirely, but you can do certain things to mitigate the
+    problems that they create.</p>
+
+    <p>Often the most effective anti-DoS tools will be a firewall or
+    other operating-system tools.  For example, most firewalls can be
+    configured to restrict the number of simultaneous connections from
+    any individual IP address or network, thus preventing a range of
+    simple attacks.</p>
+
+    <p>There are also certain Apache HTTP Server configuration
+    settings that can help mitigate problems:</p>
+
+    <ul>
+      <li>The <directive module="core">TimeOut</directive> directive
+      should be lowered on sites that are subject to DoS attacks.
+      Setting this to as low as a few seconds may be appropriate.  See
+      also the <directive module="core">KeepAliveTimeout</directive>
+      directive and various timeout-related directives provided by
+      other modules.</li>
+
+      <li>On operating systems that support it, make sure that you use
+      the <directive mdoule="core">AcceptFilter</directive> directive
+      to offload part of the request processing to the operating
+      system.  This is active by default in Apache httpd, but may
+      require reconfiguration of your kernel.</li>
+
+      <li>Tune the <directive
+      module="mpm_common">MaxClients</directive> directive to allow
+      the server to handle the maximum number of simultaneous
+      connections without running out of resources.  See also the <a
+      href="perf-tuning.html">performance tuning
+      documentation</a>.</li>
+
+      <li>The use of a threaded <a href="../mpm.html">mpm</a> may
+      allow you to handle more simultaneous connections, thereby
+      mitigating DoS attacks.  Further, the <module>event</module> mpm
+      uses asynchronous processing to avoid devoting a thread to each
+      connection.</li>
+
+      <li>There are a number of third-party modules available through
+      <a
+      href="http://modules.apache.org/">http://modules.apache.org/</a>
+      that can restrict certain client behaviors and thereby mitigate
+      DoS problems.</li>
+     
+    </ul>
+
+  </section>
+    
+
   <section id="serverroot">
   
     <title>Permissions on ServerRoot Directories</title>
-- 
2.47.2