Date: Wed, 8 Aug 2001 13:15:31 +0800 From: "David Xu" <bsddiy@163.net> To: "Christopher Ellwood" <chris+freebsd-net@silicon.net>, <freebsd-net@freebsd.org> Subject: Re: Problem with Code Red II and HTTP Accept Filtering Message-ID: <004401c11fc9$25a08950$6201a8c0@William> References: <20010807213844.N672-100000@diamond>
next in thread | previous in thread | raw e-mail | index | archive | help
my opinion is don't use accept filter, it can become DOS attack target. sending a big http header and don't complete it, it does not let apache = know a connection=20 is already made and there is no timeout counter like which in Apache = server. using an accept filter can not get so much benifit. -- David Xu ----- Original Message -----=20 From: "Christopher Ellwood" <chris+freebsd-net@silicon.net> To: <freebsd-net@freebsd.org> Sent: Wednesday, August 08, 2001 12:42 PM Subject: Problem with Code Red II and HTTP Accept Filtering > The Code Red II worm seems to have a negative impact on FreeBSD = machines > with HTTP Accept Filtering enabled either statically in the kernel or = via > modules. >=20 > The man page for accf_http states that: >=20 > It prevents the application from receiving the connected = descriptor via > accept() until either a full HTTP/1.0 or HTTP/1.1 HEAD or GET = request has > been buffered by the kernel. >=20 > What seems to be happening is Code Red II sends its 3.8K malformed > request, but the accept filter doesn't recognize this request as being > completed. So the connection sits in the established state with 3818 > bytes in the Receive Queue as shown in the following netstat: >=20 > Proto Recv-Q Send-Q Local Address Foreign Address = (state) > tcp4 3818 0 10.1.1.1.80 64.1.1.1.2932 = ESTABLISHED >=20 > If you get enough of these (about 20-30 on a machine with NMBCLUSTERS = set > to 1024), your mbuf cluster pool becomes exhausted and network > transactions begin to fail. >=20 > This inadvertent side affect of the Code Red worm suggests that it = would > also be relatively easy to launch a denial of service attack against a > machine with HTTP accept filtering. >=20 > This was observed on FreeBSD 4.3-RELEASE machine running both Apache > 1.3.19 and 1.3.20. >=20 > Regards, >=20 > - Christopher Ellwood > Network Security Consultant >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?004401c11fc9$25a08950$6201a8c0>