Skip to main content Skip to search
Can we use first and third party cookies and web beacons to understand our audience, and to tailor promotions you see?
Main menu
  • Drupal.org home
  • Discover Drupal
    • Drupal Core
    • Drupal CMS
    • Drupal AI
    • Case Studies
    • Drupal for Government
    • Drupal for Higher Education
    • Drupal for Nonprofit
    • Drupal for eCommerce
    • Drupal for FinTech
    • Drupal for Healthcare
    • Drupal for Enterprise
    • Drupal for Retail
    • Drupal for Travel & Tourism
  • Build with Drupal
    • Download Drupal
    • Documentation
    • Getting started
    • Local Development Guide
    • Developer Resources
    • Drupal CMS User Guide
    • Drupal User Guide
    • API
    • Modules
    • Themes
    • Recipes
    • Site Templates
    • Issue queues
    • Security Advisories
  • Partners & Services
    • Find a Drupal Certified Partner
    • Become a Drupal Certified Partner
    • Find a Hosting Provider
    • Find a Migration Partner
    • Find Training
    • Drupal Steward
  • Community
    • About the Community
    • How to Contribute
    • DrupalCon
    • Events
    • Jobs / Careers
    • News & Blogs
    • Forum
    • Slack
    • Newsletters
    • Drupal Swag Shop
  • Support Drupal
    • The Drupal Association
    • Donate
    • Become a Partner
    • Become a Ripple Maker
    • Become a Drupal Sustaining Member
    • Drupal Swag Shop
  • Get Started
    • Try Drupal CMS
    • Try Hosting
Return to content

Search form

  • Log in, view profile, and more
    • Log in
    • Create account
Drupal.org
ModulesTrollIssues

Sleep makes DoS attacks easier!

Closed (won't fix)
Project: 
Troll
Version: 
5.x-1.1
Component: 
Code
Priority: 
Normal
Category: 
Feature request
Assigned: 
Unassigned
Reporter: 
schnizZzla
Created: 
26 Mar 2007 at 04:24 UTC
Updated: 
20 Jun 2008 at 13:40 UTC

I think it may be better to remove this feature or give some explanation or warning. Because at first thought such random stutter seems a good idea, but then...

You can read a nice comment about DoS attacks using sleep on php.net:

"Unluckily, there is not much you can do against braindead criminals. Even if you block them on the IP layer, they can still fill the wire with datagrams :(
However, sleep() makes an attack a lot cheaper. If the target uses for example sleep(5); then the attacker can safely assume that one request will keep one process running for 5 seconds.
So, only a few dozen requests (w/ dropped connections), will safely run you into "MaxClients" and you will not be able to accept legitimate requests any more. So what, increase "MaxClients" then, I hear you say? The attacker can do this for hours, but you can't...
10MB of memory for a server process is not a unreasonable assumption. If your web server has 2GB of RAM then it will start thrashing after starting 200 processes. A 32 bit machine is out of virtual memory after 400. That can be achieved using a 14.4k modem..."

Comments

deekayen’s picture

Comment #1

deekayen commented 20 June 2008 at 13:40
Status: Active » Closed (won't fix)

Then don't use it. It is, after all, an option.

  • Log in or register to post comments
Contribution record
Add child issue, clone issue
Infrastructure management for Drupal.org provided by Tag1 logo
Need a Drupal 7 extended support partner? Consider Tag1.

News items

  • News
  • Planet Drupal
  • Social media
  • Sign up for Drupal news
  • Security advisories
  • Jobs

Our community

  • Community
  • Services, Training & Hosting
  • Contributor guide
  • Groups & meetups
  • DrupalCon
  • Code of conduct

Documentation

  • Documentation
  • Drupal Guide
  • Drupal User Guide
  • Developer docs
  • API.Drupal.org

Drupal code base

  • Download & Extend
  • Drupal core
  • Modules
  • Themes
  • Distributions

Governance of community

  • About
  • Web accessibility
  • Drupal Association
  • About Drupal.org
  • Terms of service
  • Privacy policy

Drupal is a registered trademark of Dries Buytaert.