DoS protection strategies
Ken Brownfield
krb at irridia.com
Tue Apr 18 19:58:07 BST 2006
On Apr 18, 2006, at 11:41 AM, Roberto Nibali wrote:
> Only on a really badly configured web server or maybe a 486
> machine :). Otherwise this does not hold. Every web server will
> handle at least 1000 concurrent TCP connections easily. After that
> you need some ulimit or epoll tweaking.
I agree that the ~1,000 simultaneous connection count is indeed the
general breaking point for select()- or poll()-based web servers (in
my experience), and epoll() is a much better solution as you say.
But Apache will not handle 1,000 simultaneous connections unless you
have 4GB of RAM, you're on a 32-bit platform, and you have every
feature turned off. And then only if you don't want any disk buffer/
cache. :)
With typical application server support (e.g., mod_php), Apache will
not reach 1000 processes without something like 8-16G of RAM. I've
never been able to set MaxClients above 200... Copy-on-write only
goes so far.
Sorry for the tangent, but throttling/DoS prevention is especially
important for any web/application server based on the process model.
Cheers,
--
Ken.
> Best regards,
> Roberto Nibali, ratz
> --
> echo '[q]sa[ln0=aln256%Pln256/snlbx]
> sb3135071790101768542287578439snlbxq' | dc
> _______________________________________________
> LinuxVirtualServer.org mailing list - lvs-users at LinuxVirtualServer.org
> Send requests to lvs-users-request at LinuxVirtualServer.org
> or go to http://www.in-addr.de/mailman/listinfo/lvs-users
More information about the lvs-users
mailing list