Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 7 Aug 2001 23:57:44 -0500
From:      Alfred Perlstein <bright@mu.org>
To:        Christopher Ellwood <chris+freebsd-net@silicon.net>
Cc:        freebsd-net@freebsd.org
Subject:   Re: Problem with Code Red II and HTTP Accept Filtering
Message-ID:  <20010807235744.A85642@elvis.mu.org>
In-Reply-To: <20010807213844.N672-100000@diamond>; from chris%2Bfreebsd-net@silicon.net on Tue, Aug 07, 2001 at 09:42:22PM -0700
References:  <20010807213844.N672-100000@diamond>

next in thread | previous in thread | raw e-mail | index | archive | help
* Christopher Ellwood <chris+freebsd-net@silicon.net> [010807 23:42] wrote:
> The Code Red II worm seems to have a negative impact on FreeBSD machines
> with HTTP Accept Filtering enabled either statically in the kernel or via
> modules.
> 
> The man page for accf_http states that:
> 
>      It prevents the application from receiving the connected descriptor via
>      accept() until either a full HTTP/1.0 or HTTP/1.1 HEAD or GET request has
>      been buffered by the kernel.
> 
> What seems to be happening is Code Red II sends its 3.8K malformed
> request, but the accept filter doesn't recognize this request as being
> completed.  So the connection sits in the established state with 3818
> bytes in the Receive Queue as shown in the following netstat:
> 
> Proto Recv-Q Send-Q  Local Address          Foreign Address        (state)
> tcp4    3818      0  10.1.1.1.80            64.1.1.1.2932       ESTABLISHED
> 
> If you get enough of these (about 20-30 on a machine with NMBCLUSTERS set
> to 1024), your mbuf cluster pool becomes exhausted and network
> transactions begin to fail.
> 
> This inadvertent side affect of the Code Red worm suggests that it would
> also be relatively easy to launch a denial of service attack against a
> machine with HTTP accept filtering.
> 
> This was observed on FreeBSD 4.3-RELEASE machine running both Apache
> 1.3.19 and 1.3.20.

This is somewhat true, however your machine seems to be configured
quite poorly.

Having a low amount of NMBCLUSTERS (1024) and at the same time keeping
an unbounded (or at least large) listen queue (listen(fd,-1)) is
not advised, especially when you are using accept filters.

-- 
-Alfred Perlstein [alfred@freebsd.org]
Ok, who wrote this damn function called '??'?
And why do my programs keep crashing in it?

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010807235744.A85642>