httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <ma...@znep.com>
Subject Re: Problems w/ deny
Date Tue, 07 Jan 1997 03:24:09 GMT
On Mon, 6 Jan 1997, Cliff Skolnick wrote:

> 
> The nasty tools that lock up web server use SYN attacks.  Since the SYN
> attack takes place before the TCP three way handshake is complete, the
> application will not even know about it.  Protecting against SYN attacks
> is pretty hard, and even those that say they do actually only make a lame
> attempt and stop some but not all.  As for firewalls any good SYN bomb
> uses rotating IP source addresses, so not much good.  This is a real 
> problem that can not be solved 100%, except by changing TCP.

I don't think that is what he is thinking of.  I think he is thinking of
the case where you simply open a connection (ie. complete the three-way
handshake) then do nothing.  Takes lots more resources on the server side
than the client.  Most servers all you need is a few hundred, and the
server can't do anything else even though you aren't requesting anything.

Has anyone thought of trying to make apache work with tcp wrappers'
libwrap?

> 
> All the above aside, the idea to limit the number of connections to a
> single host is good.  It could really lessen the risks of broken browsers
> and evil robots. As for including it, I don't think the denial of service
> argument is enough to include it in 1.2, next release is better IMHO.  
> Anyone who needs to lock out an attack really has to do it at the 
> firewall, not in each application.
> 
> How about a "late-patch" directory for stuff that just missed the 1.2 
> cutoff that is useful and will be included in the next release?
> 
> On Mon, 6 Jan 1997, Ed Korthof wrote:
> 
> > I consider this a bug.  Deny from statements are applied only after a request
> > has been read.  This means that a remote host can use a very simple denial of
> > service attack to completely incapacitate a web server (unless you have a
> > firewall you can reconfigure to deny from that specific host).  The remote host
> > opens a connection, then never asks for anything.  The connection hangs until
> > you hit TimeOut -- the default is 1200 seconds, but even with a low value it's
> > possible to kill a server through 10 requests a second which simply hang till
> > they timeout.
> > 
> > I'm nearly done w/ a patch to prevent more than a configurable number of
> > connections from a single host; it should be done by Wednesday.  Could we
> > consider including it in the 1.2 release?  Given that you can't use "deny from
> > ..." to protect from the above DoS attack, we should have some sort of
> > protection.
> > 
> > -- 
> >      -- Ed Korthof        |  Web Server Engineer --
> >      -- ed@organic.com    |  Organic Online, Inc --
> >      -- (415) 278-5676    |  Fax: (415) 284-6891 --
> > 
> 
> --
> Cliff Skolnick, Technical Consultant
> Steam Tunnel Operations
> cliff@steam.com, 415.297.5938
> http://www.steam.com/
> 
> 


Mime
View raw message