httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ben Chabot" <vo...@amninc.net>
Subject RE: [users@httpd] Re: Bug Versions 1.3.28/29 Fixed In 1.3.31 OrNot?
Date Mon, 17 May 2004 23:15:02 GMT
> It is not a matter of preventing logging. This is a matter of
> logical "clean" logging. 

Logical logging is to log all connection attempts.

> Check your internet resources for
> an actual transcript of a WebDav exploit. It is thirty-thousand
> to fifty-thousand bytes of repeating "binary" like code. That
> garbage is of no value for later analysis. That garbage only
> serves to bloat logfiles, to break log parsers, to annoy
> and to lead me to rants.

It _is_ of value for later analysis.  It's called NOPs and shellcode.
And I assure you it is not just garbage.  Like I said, today it doesn't
affect apache.  But something might at some point and you won't be
logging it.  That will be amusing, trying to figure out what happened
with no logs.

> "SEARCH /\x90\x02\xb1\x02\xb1\x02\
> 
> However, you cannot prevent logging of the default eight-thousand
> bytes of garbage. You cannot send a method not allowed message.
> You cannot ip block offenders. You cannot do anything but eat it.
> 
> That is a bug.

I believe it's been posted at least 3 times how you could solve this, in
the way you are so obstinately ranting about.
 
> Yes, completely blocking logging is not a good idea. It is also
> not a good idea to allow eight-thousand bytes of garbage into
> your logs, without any control. 

It's called log filtering, there's your control.  Or rotating logs.
(Zipping them up periodically, and keeping a few back entries, deleting
the older ones.)

> Ya know, I could wipe out a server's disk storage in a matter
> of an hour or two, by sending WebDav at a rate of one-hundred
> per second, which would not trigger a DOS response.

You certainly could not.  You think you can send 100G of data in an
hour?  Not only that, like I said, most people rotate their logs, so
once it gets to X size, it is backed up, zipped and the log is cleared.
Once there's X many backups the oldest one is deleted.  So I find it
curious as to what your problem is.  I guess it's because windows
doesn't come with logrotate?  Heh.

> Should a script kiddie decide to wipe out your disk storage,
> what would you do? Nothing. You would eat it. That is what
> you would do; you are completely naked and defenseless, unless
> you have a thirty-thousand dollar Cisco firewall.

Or you log to another machine via syslogd.  Or you have any sort of
firewall.
It doesn't take 30k cisco machine to do the job.  As I've said, I
believe snort or any number of things, if upstream, could drop the
packets before they hit apache.  And most people would restore from
backup, if their data was lost, not that this is going to cause any data
loss whatsoever.

Man, it is time to leave this list. =)
Been fun folks... get me entertained for a day!
Later!
Ben

P.S. Kira, look up the definition of Ad Hominem arguments.  Seriously.
It's embarassing.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message