On Thu, 14 Aug 2014 09:52:44 +0100
Dimitris Papastamos <d...@spl9.org> wrote:

> One thing that needs to be fixed in the current model
> is to timeout existing connections that we have received no
> data from in a time interval.
> 
> So consider the following:
> 
> for i in $(seq 1 1000); do
>       nc 127.0.0.1 &
> done
> 
> This will create 1000 processes on the server, all of them
> blocked on a read().

Exactly!

This opens a security-hole for DDoS-attacks in which the attacker just
sends a non-terminated header.
Setting a timeout with setsockopt is trivial though and it worked well
when I tested it.

Cheers

FRIGN

-- 
FRIGN <d...@frign.de>

Reply via email to