Bugtraq mailing list archives

Re: Apache DoS Attack

From: dgaudet-list-bugtraq () ARCTIC ORG (Dean Gaudet)
Date: Wed, 12 Aug 1998 15:37:59 -0700


On Tue, 11 Aug 1998, Pim van Riezen wrote:

Is there any good reason for any of these programs to merge headers
internally in the first place?


The HTTP standard requires semantic equivalence between merged and
unmerged forms of the headers.  See RFC2068, section 4.2.  So yeah, you
have to think about this problem if you intend to implement the
protocol...  there's a few other things in the standard you should
consider too ;)  You'll run into it rather fast, I believe some versions
of Lynx send several "Accept" headers.

Apache treats headers as a single string, and it merges them as it's
allowed to.  The merge was O(n^2) space.  It's O(n*lg(n)) time, O(n) space
in our current development version.

An alternative is to preparse the headers and use a linked list.  This
would be a large change to the Apache API, and won't be attempted in the
1.x timeframe.

Dean

Current thread:

Apache DoS Attack Jamie Orzechowski (Aug 10)
- <Possible follow-ups>
- Re: Apache DoS Attack Jonathan Freeman (Aug 11)
- Re: Apache DoS Attack Pim van Riezen (Aug 11)
  - Re: Apache DoS Attack Dean Gaudet (Aug 12)
- Re: Apache DoS Attack Paul Leach (Aug 12)