[Ur] few security patches

Adam Chlipala adamc at csail.mit.edu
Sat Sep 6 10:02:25 EDT 2014


On 09/06/2014 05:49 AM, Sergey Mironov wrote:
> Hi. Let me post a few more patches dealing with security.

Thanks!  They're all pushed to the main repo now.

> 4_of_4_Introduce_recv_timeout_controlled_by___T__option_in_http_c.patch
>
> The most important one: I found that http.c-based applications suffer
> from a kind of DDoS attacks where attacker opens connections to the
> application, but sends no data. As soon as all threads block in their
> [recv]s, application stops answering requests. This patch helps to
> protect the application by setting up a timeout for recv and an option
> to control it.

It seems like an OK idea to include this style of timeout, but:
1) The approach still seems naive.  The attacker can instead send one 
byte every few seconds and do a lot of damage!
2) I've been assuming serious deployments will be behind popular HTTP 
servers like Apache, using FastCGI to connect to Ur/Web apps, so that 
the security measures of those HTTP servers are applied "for free".




More information about the Ur mailing list