[Zope] Responding to hackers
Skip Montanaro
skip@pobox.com
Mon, 28 Oct 2002 12:35:19 -0600
>> To avoid this problem you could cap the number of "sluggish"
>> responses at some figure, after which you simply fall back to regular
>> 404 responses.
Chris> All sounds cool, lot of work though ;-)
Not really, though of course it depends on how motivated you are to solve
the problem. ;-) You need a 404 handler which checks to see if the start of
the requested path is on the no-no list. When the handler is called, it
first checks the number of running threads. If the max has been reached or
exceeded, shoot back a 404 and return. Otherwise, increment the running
threads counter, snooze for awhile, then redirect to the next path in the
chain.
If you're fronting Zope with Apache or Squid I suspect it would be worth
checking to see if they already implement something similar. You could
easily do something with mod_rewrite, though I'm not too sure about the
thread counter business. You'd probably just bump up against the maximum
number of httpd processes (in which case you _would_ have a DOS attack).
Skip