From 8b139e001974a24c745adb30db9532b0f4450d5f Mon Sep 17 00:00:00 2001 From: Joshua Slive Date: Tue, 17 Jan 2006 16:56:01 +0000 Subject: [PATCH] A few small anti-DoS updates including the Limit* directives. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@369835 13f79535-47bb-0310-9956-ffa450edef68 --- docs/manual/misc/security_tips.html.en | 25 +++++++++++++++++-------- docs/manual/misc/security_tips.xml | 25 +++++++++++++++++-------- docs/manual/misc/security_tips.xml.ko | 2 +- 3 files changed, 35 insertions(+), 17 deletions(-) diff --git a/docs/manual/misc/security_tips.html.en b/docs/manual/misc/security_tips.html.en index 531441e5485..e1c01f09776 100644 --- a/docs/manual/misc/security_tips.html.en +++ b/docs/manual/misc/security_tips.html.en @@ -64,17 +64,17 @@ -

All network servers are subject to denial of service atacks +

All network servers can be subject to denial of service atacks that attempt to prevent responses to clients by tying up the resources of the server. It is not possible to prevent such attacks entirely, but you can do certain things to mitigate the problems that they create.

-

Often the most effective anti-DoS tools will be a firewall or - other operating-system tools. For example, most firewalls can be - configured to restrict the number of simultaneous connections from - any individual IP address or network, thus preventing a range of - simple attacks.

+

Often the most effective anti-DoS tool will be a firewall or + other operating-system configurations. For example, most + firewalls can be configured to restrict the number of simultaneous + connections from any individual IP address or network, thus + preventing a range of simple attacks.

There are also certain Apache HTTP Server configuration settings that can help mitigate problems:

@@ -85,10 +85,19 @@ Setting this to as low as a few seconds may be appropriate. See also the KeepAliveTimeout directive and various timeout-related directives provided by - other modules. + different modules. + +
  • The directives + LimitRequestBody, + LimitRequestFields, + LimitRequestFileSize, + LimitRequestLine, and + LimitXMLRequestBody + should be carefully configured to limit resource consumption + triggered by client input.
  • On operating systems that support it, make sure that you use - the AcceptFilter directive + the AcceptFilter directive to offload part of the request processing to the operating system. This is active by default in Apache httpd, but may require reconfiguration of your kernel.
    • diff --git a/docs/manual/misc/security_tips.xml b/docs/manual/misc/security_tips.xml index 5a777118724..e1b3b49c7be 100644 --- a/docs/manual/misc/security_tips.xml +++ b/docs/manual/misc/security_tips.xml @@ -56,17 +56,17 @@ Denial of Service (DoS) attacks -

    All network servers are subject to denial of service atacks +

    All network servers can be subject to denial of service atacks that attempt to prevent responses to clients by tying up the resources of the server. It is not possible to prevent such attacks entirely, but you can do certain things to mitigate the problems that they create.

    -

    Often the most effective anti-DoS tools will be a firewall or - other operating-system tools. For example, most firewalls can be - configured to restrict the number of simultaneous connections from - any individual IP address or network, thus preventing a range of - simple attacks.

    +

    Often the most effective anti-DoS tool will be a firewall or + other operating-system configurations. For example, most + firewalls can be configured to restrict the number of simultaneous + connections from any individual IP address or network, thus + preventing a range of simple attacks.

    There are also certain Apache HTTP Server configuration settings that can help mitigate problems:

    @@ -77,10 +77,19 @@ Setting this to as low as a few seconds may be appropriate. See also the KeepAliveTimeout directive and various timeout-related directives provided by - other modules. + different modules. + +
  • The directives + LimitRequestBody, + LimitRequestFields, + LimitRequestFileSize, + LimitRequestLine, and + LimitXMLRequestBody + should be carefully configured to limit resource consumption + triggered by client input.
  • On operating systems that support it, make sure that you use - the AcceptFilter directive + the AcceptFilter directive to offload part of the request processing to the operating system. This is active by default in Apache httpd, but may require reconfiguration of your kernel.
    • diff --git a/docs/manual/misc/security_tips.xml.ko b/docs/manual/misc/security_tips.xml.ko index efb54bef225..2512ff66d34 100644 --- a/docs/manual/misc/security_tips.xml.ko +++ b/docs/manual/misc/security_tips.xml.ko @@ -1,7 +1,7 @@ - +