Date: Mon, 22 Jun 2009 08:45:23 -0700 From: Norbert Papke <npapke@acm.org> To: freebsd-questions@freebsd.org Cc: Ruben de Groot <mail25@bzerk.org>, questions@freebsd.org Subject: Re: slowloris, accf_http and POST requests Message-ID: <200906220845.23920.npapke@acm.org> In-Reply-To: <20090622112607.GA80249@ei.bzerk.org> References: <20090622112607.GA80249@ei.bzerk.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On June 22, 2009, Ruben de Groot wrote: > Can enybody explain why the http accept filter only works on GET/HEAD > requests? > > The reason I ask is I was checking up on the slowloris DOS tool > (http://ha.ckers.org/slowloris/slowloris.pl) and, like others before me, > found that the -httpready switch (which uses POST instead of GET) renders > the accf_http module useless as a protection against this kind of attack. With the POST request, the client sends additional data after the header. This additonal data is the form data (the x-www-form-urlencoded encoded name-value pairs). The filter will allow the request to proceed to the application after the header as been received but before the form data has been received. A "slowloris" attack could exploit this fact by sending a complete header but then slowing doling out the form data. To protect against this scenario, the filter would need to be modified to collect the form data as well. Of course, it doesn't stop there. The filter would also have to deal with multi-part forms. Disclaimer: This is based on cursory reading of the code. Cheers, -- Norbert Papke. npapke@acm.org http://saveournet.ca Protecting your Internet's level playing field
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200906220845.23920.npapke>