On Friday 13 June 2003 13:49, you wrote:
Squid also has a configurable limit on the size of the request body, and the size of request headers. I think both of these offer valuable protection.
Pound also enforces a limit on the size and number of headers in a request - again quite large. As to the request body: that's a very different can of worms. With the addition of chunked/MIME encodings in HTTP 1.1 the only way of enforcing a size limit on the request body is to read the complete request in the proxy before passing it to the actual server. Unfortunately that exposes you to a nasty DOS attack - all an attacker needs to do is to send you one (or several - in parallel) never-ending request(s). You may want to look at a similar attack against Apache (published about 5 months ago - google for apache and chunked encoding vulnerability). -- Robert Segall Apsis GmbH Postfach, Uetikon am See, CH-8707 Tel: +41-1-920 4904