[Zope] Zope Best Possible Installation

Toby Dickenson tdickenson@geminidataloggers.com
Fri, 13 Jun 2003 13:44:25 +0100

On Friday 13 June 2003 13:03, Robert Segall wrote:
> On Friday 13 June 2003 13:49, you wrote:
> > Squid also has a configurable limit on the size of the request body, and
> > the size of request headers. I think both of these offer valuable
> > protection.
> Pound also enforces a limit on the size and number of headers in a request
> - again quite large.

woohooo. Im looking forward to having an opportunity to try Pound.

> As to the request body: that's a very different can of worms. With the
> addition of chunked/MIME encodings in HTTP 1.1 the only way of enforcing a
> size limit on the request body is to read the complete request in the proxy
> before passing it to the actual server. Unfortunately that exposes you to a
> nasty DOS attack - all an attacker needs to do is to send you one (or
> several - in parallel) never-ending request(s). 

Im not sure how squid would handle the chunked request case.

It handles the limit on non-chunked request body sizes by counting bytes, and 
severing the TCP connection when the counter gets too big. No buffering. I 
guess that would work with chunks too.

(from memory, I didnt think chunked encoding was permitted for request bodies. 
For interoperability with http/1.0)

> You may want to look at a
> similar attack against Apache (published about 5 months ago - google for
> apache and chunked encoding vulnerability).

I must have missed that one, but I dont keep up to date with apache these 
days. I cant see anything in Google, unless you mean this 12-month-old one.

Toby Dickenson