Re: [Haskell] Re: [Haskell-cafe] ANNOUNCE: enumerator, an alternative iteratee package

20 Aug 2010

      On 20/08/10 22:32, John Millikin wrote:
...
On Fri, Aug 20, 2010 at 12:52, Magnus Therning  wrote:
...
You don't need to send that much data, the current implementation of
Enumerator uses hGet, which blocks, so just send the server a few bytes and
it'll be sitting there waiting for input until it times out (if ever).
Open a few hundred of those connections and you're likely to cause the
server to run out of FDs.  Of course this is already coded up in tools like
slowloris[1] :-)
Correct me if I'm wrong, but I'm pretty sure changing the implementation to
something non-blocking like hGetNonBlocking will not fix this. Hooking up an
iteratee to an enumerator which doesn't block will cause it to loop forever,
which is arguably worse than simply blocking.
The best way I can think of to defeat a handle-exhaustion attack is to
enforce a timeout on HTTP header parsing, using something like
System.Timeout. This protects against slowloris, since requiring the
entire header to be parsed within some fixed small period of time
prevents the socket from being held open via slowly-trickled headers.
Indeed.

In many protocols it would force the attacker to send well-formed requests
though.  I think this is true for many text-based protocols like
HTTP.

The looping can be handled effectively through hWaitForInput.

There are also other reasons for doing non-blocking IO, not least that it
makes developing and manual testing a lot nicer.

/M

-- 
Magnus Therning                        (OpenPGP: 0xAB4DFBA4)
magnus＠therning．org           Jabber: magnus＠therning．org
http://therning.org/magnus         identi.ca|twitter: magthe