toss one more on the list .... mod_antiloris/0.4.1 ... well needs to be tested but you cannot really launch a decent slowloris attack from a Win box, not enough connections.
http://httpd.apache.org/docs/trunk/developer/new_api_2_4.htmlThat page sucks! I saw a rather long complaint about it on the dev list today (still Sunday here ... for another hour)
It's nice of them to say "ap_get_scoreboard_worker is gratuitously made non-back-compatible as an alternative version is introduced." but really nothing else. So ok, it changed, to what? How?
Since Apache crashes on first request with mod_antiloris, I figured it had to be something major. I finally just assumed by that crappy doc that it might be the scoreboard. Search the module for ap_get_scoreboard_worker and what do you know, one call to it.
Cool, doesn't mean I'll figure it out but I started having a look through the greek in scorboard.c. Search out the declare for ap_get_scoreboard_worker, find it, yep, much different, but right above it is
AP_DECLARE(worker_score *) ap_get_scoreboard_worker_from_indexes(int x, int y)
{
if (((x < 0) || (x >= server_limit)) ||
((y < 0) || (y >= thread_limit))) {
return(NULL); /* Out of range */
}
return &ap_scoreboard_image->servers[x][y];
}
The call in mod_antiloris;
ws_record = ap_get_scoreboard_worker(i, j);
Hmmmm, look at that, now look at ap_get_scoreboard_worker in 2.2.17
AP_DECLARE(worker_score *) ap_get_scoreboard_worker(int x, int y)
{
if (((x < 0) || (server_limit < x)) ||
((y < 0) || (thread_limit < y))) {
return(NULL); /* Out of range */
}
return &ap_scoreboard_image->servers[x][y];
}
Why couldn't they have just said it changed to ap_get_scoreboard_worker_from_indexes?
Looks pretty backward compatible to me since its verbatim. Besides that, the new ap_get_scoreboard_worker turns around and calls ap_get_scoreboard_worker_from_indexes *smh*
So anyway, make that change, add the per-module logging stuff (which thankfully is explained well on that page), compile, start Apache and I'll be danged, it Works! and logs as it should.
[Sun Nov 28 23:27:34.900000 2010] [antiloris:notice] [pid 1544:tid 324] mod_antiloris 0.4.1 started
That will be nice when running both limitipconn and antiloris since they both have the same exact error message.
____ Edit ____
I was able to set off mod_antiloris somehow;
[Tue Nov 30 00:12:46.481000 2010] [antiloris:warn] [pid 5208:tid 992] Rejected, too many connections in READ state from ::1
A correction to above: mod_limitipconn's error message is very similar, but not exact.
mod_limitipconn has been ported, it was a little more involved but not much.