Also talk about the Server Limit DOS Solution

Www.cnblogs.com/luoluo

Recently, Planet has made a lot of discussions on this topic. Regarding solutions, I have discussed the solution in the group with Jack yunshu Kevin, over the past two days, we have made a simple analysis of apache's processing mechanism, and now our ideas have become clearer.

There are three solutions: WEB server, client, and middle layer.

1. Take Apache as an example on the WEB server. First, you will think of rewrite or apache module, but the test will find that neither rewrite nor common dso module works, because apache returns an error before this, so we can look up the information to find an earlier method of intervention. We found that ap_hook technology can insert code in many links, apache input filter can also be used to filter inputs earlier, but all of them fail. Finally, code analysis shows that if an error occurs after Apache processing headers are returned directly, therefore, apart from modifying the Apache source code, it cannot be solved at the Apache level.

2. When the client solves the problem, it is also easy to think of customizing the 400 Error Page, where JS is written to clear the COOKIE. However, the problem is that the page content customized above cannot be returned to the client. There is also the client software, which is not available for websites.

3. Yun Shu mentioned that layer-7 filtering between the client and the server, such as Iptables, has not been tested. Kevin proposed that the Squid method can also be classified into this category, and I have never been side-by-side, but Squid can basically be considered as a Web server.

Originally, the Web server sets this restriction to prevent DOS attacks on the Web server. As a result, DOS attacks on the client may occur. In the end, this is a single-choice question, if you select whether the Server is vulnerable to DOS or the Client is vulnerable to DOS, Apache selects the former. Kevin said this is fundamentally a browser problem because the browser does not comply with the Cookie size restrictions in related standards. Indeed, the ideal state is that the server and client reach an agreement on the largest request header. However, if no major harm is caused, both browser and WEB server won't be easily adjusted.

So in general, this problem is a difficult problem. It is expected that the final solution will be promoted by the harm it has caused.