Return-Path: 
 <dev-return-78315-apmail-httpd-dev-archive=httpd.apache.org@httpd.apache.org>
X-Original-To: apmail-httpd-dev-archive@www.apache.org
Delivered-To: apmail-httpd-dev-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id C08E910A8C
	for <apmail-httpd-dev-archive@www.apache.org>;
 Tue, 20 Aug 2013 08:19:00 +0000 (UTC)
Received: (qmail 39803 invoked by uid 500); 20 Aug 2013 08:18:58 -0000
Delivered-To: apmail-httpd-dev-archive@httpd.apache.org
Received: (qmail 39262 invoked by uid 500); 20 Aug 2013 08:18:54 -0000
Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@httpd.apache.org
list-help: <mailto:dev-help@httpd.apache.org>
list-unsubscribe: <mailto:dev-unsubscribe@httpd.apache.org>
List-Post: <mailto:dev@httpd.apache.org>
List-Id: <dev.httpd.apache.org>
Delivered-To: mailing list dev@httpd.apache.org
Received: (qmail 39244 invoked by uid 99); 20 Aug 2013 08:18:53 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 20 Aug 2013 08:18:53 +0000
X-ASF-Spam-Status: No, hits=0.0 required=5.0
	tests=
X-Spam-Check-By: apache.org
Received-SPF: unknown (athena.apache.org: error in processing during lookup of
 dirkx@webweaving.org)
Received: from [204.109.56.33] (HELO ibiza.webweaving.org) (204.109.56.33)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 20 Aug 2013 08:18:47 +0000
Received: from pikmeer.webweaving.org (pikmeer.webweaving.org [178.18.23.51])
	by ibiza.webweaving.org (8.14.7/8.14.7) with ESMTP id r7K8IPlp000144
	for <dev@httpd.apache.org>; Tue, 20 Aug 2013 08:18:26 GMT
	(envelope-from dirkx@webweaving.org)
Received: from [10.11.0.108] (5ED28243.cm-7-3c.dynamic.ziggo.nl
 [94.210.130.67])
	(authenticated bits=0)
	by pikmeer.webweaving.org (8.14.5/8.14.5) with ESMTP id r7K8HtGX025930
	(version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO)
	for <dev@httpd.apache.org>; Tue, 20 Aug 2013 08:18:25 GMT
	(envelope-from dirkx@webweaving.org)
Content-Type: text/plain; charset=iso-8859-1
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
Subject: Re: breach attack
From: Dirk-Willem van Gulik <dirkx@webweaving.org>
In-Reply-To: <52069600.6060400@thelounge.net>
Date: Tue, 20 Aug 2013 10:17:55 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <AB7DF906-7E3E-439F-A35E-BD8129D7238F@webweaving.org>
References: 
 <CAMDeyhwCYYQMK+WTfvge7y20AqEB1=kqMHgqKYhr3kBWkZyYzA@mail.gmail.com>
 <CAMDeyhww0PMoH95YxuJe+7r=Gi1z2T+UPh+8CQg4KTLBXqLQqg@mail.gmail.com>
 <20130809210422.GA14384@redhat.com> <2250572.368Yd9bN48@k>
 <52069600.6060400@thelounge.net>
To: dev@httpd.apache.org
X-Mailer: Apple Mail (2.1508)
X-Greylist: Sender IP whitelisted,
 not delayed by milter-greylist-4.2.7 (ibiza.webweaving.org [204.109.56.32]);
 Tue, 20 Aug 2013 08:18:26 +0000 (UTC)
X-Greylist: Sender succeeded SMTP AUTH,
 not delayed by milter-greylist-4.2.5 (pikmeer.webweaving.org [178.18.23.51]);
 Tue, 20 Aug 2013 08:18:25 +0000 (UTC)
X-Virus-Checked: Checked by ClamAV on apache.org


Op 10 aug. 2013, om 21:35 heeft Reindl Harald <h.reindl@thelounge.net> =
het volgende geschreven:
>=20
> IMHO that is all the wrong train
>=20
> "victim's browser to visit the targeted website thousands of times"
> for me says clearly that a proper server with rate-controls based
> on iptable sor a firewall in front of the machine would stop this
> and honestly these days i would not connect any production server
> without rate-controls to the world wide web
>=20
> so i am strictly against mangle in the procotol and risk making
> mod_defalte less effective, protections aginst such attacks do
> not belong in the application layer

A couple of years ago - I would have wholeheartedly agreed with you.

However the world is changing. And several things combined make the =
assumption that such vigilance is likely (or even possible) no longer a =
safe one.

At the higher layers - developers work increasingly with abstraction =
layers, languages and frameworks which are far removed from HTTP; and =
which no longer require the developer to look at things like field =
completion, sessions and ajax-dynamic population of fields, gradual =
disclosure and what not at the GET level. Instead some (js) library or =
framework is used which just does it.

So technically it is no longer realistic for the average (or every =
crack) programmer to tell you what GETs to normally expect. And =
organizationally it is totally unrealistic; there are simply too few =
incentives for that information to flow. That 'layer' of the org is not =
paid/expected to care.

Increasingly the http layer moves to the very bottom of the stack - well =
out of sight; tended to by people very far (and commonly at arms length) =
removed from the web product. It may even be mostly in some sort of =
proxy/pass-through type of mode - where the ops people have no real idea =
as to what request goes to what app - and the volume is such that only =
automated tools help make sense of it.

Wether we like it or not - Apache is now commonly deployed in that =
world.

So our 'new' users can fairly expect us to tune apache to that sort of =
'blind' and 'bulky' deployments. So I think it somewhat behooves us to =
have options to mangle the protocol where and when needed - and focus on =
these in 'bulk and blind' modes.

Dw.=