Client inactivity timeout (sockstress)

[krizhanovsky]

Currently we don't limit how long a client can keep open connection without doing anything, so following command:

    $ nc tempesta 80

keeps the open connection until TCP keepalive closes it. Current client_header_timeout and client_body_timeout limits don't affect the behaviour as well as keepalive_timeout. This issues isn't a crucial since we have concurrent_connections, so an attacker can't efficiently launch sockstress attack, but it's still not desirable to spend resources.

In general, keepalive_timeout parameter shall limit period of client connection inactivity starting from a connection establishing, not from a first message as it seems to be now. It's different from client_header_timeout which defines time required to receive a full HTTP header (i.e. if an attacker sends 1 byte a time, it still will be blocked). However, it's exactly the same as client_body_timeout (timeout between data chunks), but it should start just after connection establishing. So keepalive_timeout option will overlap client_body_timeout. Meantime, attacker can send 1 byte of body a time and pass the limits, so client_body_timeout must be reworked to limit total time required to build whole message body. With http_body_chunk_cnt limit it efficiently fights against slow HTTP. However, http_body_chunk_cnt is not enough, because it limits HTTP chunks and an attacker still can slowly send for example small IP fragments.

Also see Apache mod_reqtimeout.