why Unicorn doesn't do slow clients
normalperson at yhbt.net
Wed Oct 7 20:09:42 EDT 2009
You may have heard of Slowloris and Nkiller2 (if not check them out),
but there is also david:
I wasn't comfortable with announcing this two years ago when I wrote it.
I'm OK now since Slowloris and Nkiller2 are similar (ok, Nkiller2 is
lower-level and meaner) and attacks of this type should be well-known by
now. I'm sure some folks have known about these types of attack since
the 1990s, even.
I haven't touched david in over two years and don't have any desire to
maintain or support it. Feel free to take and hack on it for your own
testing or even make it into a real project, but please be nice and
don't hurt people with it.
This is different from Slowloris in that it throttles the entire request
including the POST/PUT body. Most proxies (including haproxy) don't
buffer bodies before sending them on whereas nginx will buffer large
ones to temporary files.
I originally wrote david to convince some friends to stick nginx in
front of anything that wasn't nginx; including Apache +
mod_perl|mod_php|mongrel and Tomcat setups.
And it was quite convincing at the time :>
* david combines fork() with select() to multiplex file descriptors
and get around select() and non-priviledged process FD limits.
* The defaults at the top of the davic.c file are all pretty tame,
but they're all commented on and you can tweak them.
* david mmaps a raw file that is an HTTP request, some small
samples are provided but you can/should generate your own large
POST/PUT requests to really stress request body handling.
More information about the rainbows-talk