On Thu, 14 Aug 2014 09:52:44 +0100 Dimitris Papastamos <d...@spl9.org> wrote:
> One thing that needs to be fixed in the current model > is to timeout existing connections that we have received no > data from in a time interval. > > So consider the following: > > for i in $(seq 1 1000); do > nc 127.0.0.1 & > done > > This will create 1000 processes on the server, all of them > blocked on a read(). Exactly! This opens a security-hole for DDoS-attacks in which the attacker just sends a non-terminated header. Setting a timeout with setsockopt is trivial though and it worked well when I tested it. Cheers FRIGN -- FRIGN <d...@frign.de>