Date: Tue, 7 Aug 2001 21:42:22 -0700 (PDT) From: Christopher Ellwood <chris+freebsd-net@silicon.net> To: <freebsd-net@freebsd.org> Subject: Problem with Code Red II and HTTP Accept Filtering Message-ID: <20010807213844.N672-100000@diamond>
next in thread | raw e-mail | index | archive | help
The Code Red II worm seems to have a negative impact on FreeBSD machines with HTTP Accept Filtering enabled either statically in the kernel or via modules. The man page for accf_http states that: It prevents the application from receiving the connected descriptor via accept() until either a full HTTP/1.0 or HTTP/1.1 HEAD or GET request has been buffered by the kernel. What seems to be happening is Code Red II sends its 3.8K malformed request, but the accept filter doesn't recognize this request as being completed. So the connection sits in the established state with 3818 bytes in the Receive Queue as shown in the following netstat: Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp4 3818 0 10.1.1.1.80 64.1.1.1.2932 ESTABLISHED If you get enough of these (about 20-30 on a machine with NMBCLUSTERS set to 1024), your mbuf cluster pool becomes exhausted and network transactions begin to fail. This inadvertent side affect of the Code Red worm suggests that it would also be relatively easy to launch a denial of service attack against a machine with HTTP accept filtering. This was observed on FreeBSD 4.3-RELEASE machine running both Apache 1.3.19 and 1.3.20. Regards, - Christopher Ellwood Network Security Consultant To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010807213844.N672-100000>