From 9f76eade3dd69e44d67b98128d389422a36e6c98 Mon Sep 17 00:00:00 2001
From: Ruediger Pluem <rpluem@apache.org>
Date: Tue, 17 Jan 2006 19:58:19 +0000
Subject: [PATCH] * Add a sentence about DDOS. * Mention problems with low
 Timeouts and long running CGIs. * Stress out the experimental character of
 event MPM and that it does not   work with ssl currently.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@369902 13f79535-47bb-0310-9956-ffa450edef68
---
 docs/manual/misc/security_tips.xml | 28 +++++++++++++++++++++-------
 1 file changed, 21 insertions(+), 7 deletions(-)

diff --git a/docs/manual/misc/security_tips.xml b/docs/manual/misc/security_tips.xml
index 72a82000259..2d3fb80ed65 100644
--- a/docs/manual/misc/security_tips.xml
+++ b/docs/manual/misc/security_tips.xml
@@ -66,7 +66,8 @@
     other operating-system configurations.  For example, most
     firewalls can be configured to restrict the number of simultaneous
     connections from any individual IP address or network, thus
-    preventing a range of simple attacks.</p>
+    preventing a range of simple attacks.  Of course this is no help
+    against Distributed Denial of Service attacks (DDoS).</p>
 
     <p>There are also certain Apache HTTP Server configuration
     settings that can help mitigate problems:</p>
@@ -74,10 +75,19 @@
     <ul>
       <li>The <directive module="core">TimeOut</directive> directive
       should be lowered on sites that are subject to DoS attacks.
-      Setting this to as low as a few seconds may be appropriate.  See
-      also the <directive module="core">KeepAliveTimeout</directive>
-      directive and various timeout-related directives provided by
-      different modules.</li>
+      Setting this to as low as a few seconds may be appropriate.
+      As <directive module="core">TimeOut</directive> is currently
+      used for several different operations, setting it to a low value
+      introduces problems with long running CGI scripts.</li>
+
+      <li>The <directive module="core">KeepAliveTimeout</directive>
+      directive may be also lowered on sites that are subject to DoS
+      attacks.  Some sites even turn off the keepalives completely via
+      <directive module="core">KeepAlive</directive>, which has of course
+      other drawbacks on performance.</li>
+
+      <li>The values of various timeout-related directives provided by
+      other modules should be checked.</li>
 
       <li>The directives 
       <directive module="core">LimitRequestBody</directive>,
@@ -103,9 +113,13 @@
 
       <li>The use of a threaded <a href="../mpm.html">mpm</a> may
       allow you to handle more simultaneous connections, thereby
-      mitigating DoS attacks.  Further, the <module>event</module> mpm
+      mitigating DoS attacks.  Further, the experimental 
+      <module>event</module> mpm
       uses asynchronous processing to avoid devoting a thread to each
-      connection.</li>
+      connection. At the current point of time this
+      is work in progress and not fully implemented.  Especially the
+      <module>event</module> mpm is currently incompatible with 
+      <module>mod_ssl</module> and other input filters.</li>
 
       <li>There are a number of third-party modules available through
       <a
-- 
2.47.2