Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror

Comment: lighttpd and nginx (Score -1) 203

by karavelov (#28393193) Attached to: Attack On a Significant Flaw In Apache Released

I have tested this DoS attack against lighttpd and nginx. Out of the box both servers are vulnerable (despite the note in the announcement that lighttpd is not vulnerable, just use enough number of connections). Nginx could be configured to not be affected by this type of attacks:

Put in "http" section:

client_body_timeout 10;
client_header_timeout 10;
keepalive_timeout 10;
send_timeout 10;
limit_zone limit_per_ip $binary_remote_addr 1m;

and put in "server" section :

limit_conn limit_per 16;

The last 2 configuration lines are for limiting connections per client IP. This fist lines are same sane connection timeouts.

May be lighttpd could be configured in a similar manner but I am not a spec in it.

Best regards

The sooner all the animals are extinct, the sooner we'll find their money. - Ed Bluestone

Working...