php.ini and DDOS risks

php.ini and DDOS risks

Post by Chiaro on Wed Aug 17, 2016 10:05 pm
([msg=92795]see php.ini and DDOS risks[/msg])

So, everyone at work is talking about potentially adding file chunking to our website. The goal is to avoid needing to increase the limits on upload_max_filesize and post_max_size, with the idea that raising these limits will make our site easier to DDOS.

I've looked around for some explanation as to why that is, but everyone just says that it's bad to raise them too high. Is this one of those copy pasted factoids that isn't really a big deal, or should I be concerned about raising them?
Chiaro
New User
New User
 
Posts: 1
Joined: Wed Aug 17, 2016 9:58 pm
Blog: View Blog (0)


Re: php.ini and DDOS risks

Post by tremor77 on Sat Aug 27, 2016 12:47 am
([msg=92834]see Re: php.ini and DDOS risks[/msg])

allowing php uploads does add the DoS vector to your web server, however it may be something you require for your site or application and turning it off is not an option.

So consider what a valid limit might be.. 20MB, 50MB.. and use that. Now tbh it doesn't matter if you make it 1MB you're still vulnerable because of the number of requests that can be made. I can make 10,000 1MB upload requests or 100 100MB requests.. if you limit requests per session, available after PHP 5.3.1 INI setting "max_file_uploads"

Good read on this: http://www.securityfocus.com/archive/1/507982
Image
User avatar
tremor77
Addict
Addict
 
Posts: 1095
Joined: Wed Mar 31, 2010 12:00 pm
Location: New York
Blog: View Blog (0)



Return to Web Design

Who is online

Users browsing this forum: No registered users and 0 guests