Talk:Slowloris (software)

From Wikipedia, the free encyclopedia
  (Redirected from Talk:Slowloris)
Jump to: navigation, search

Which software is unaffected?[edit]

The section "Mitigating the Slowloris attack" claims that some HTTP server software is unaffected yet doesn't list any. But as I understand the HTTP spec (RFC 2616), any server that responds in an HTTP-conforming way to a connection initiated by a slow modem (e.g. V.32bis at 14.4 kbps) is affected unless it drops the connection after the client sends too many request headers. What software is not affected and why not? --Damian Yerrick (talk | stalk) 17:27, 9 September 2010 (UTC)

The attack is more pronounced on Apache due to the fact that Apache has a MaxClients setting which imposes a restriction on the number of simultaneous connections the web server will allow. SlowLoris uses slow connections to exploit this limitation, but that isn't the only way to do so.
Servers may still be vulnerable even if they don't implement a hard limit on the number of of connections, as less than optimum connection handling can lead to the depletion of CPU and RAM resources on the server. This is classically known as the C10k problem. Motoma (talk | stalk) 21:13, 18 November 2010 (UTC)

Lighttpd affected or not?[edit]

Lighttpd is listed in the "affected servers" list, but later given as an example of a server that does not have the problem, along with nginx. Which is it? — Preceding unsigned comment added by (talk) 23:54, 28 April 2014 (UTC)