From owner-freebsd-net Tue Aug 7 21:57:49 2001 Delivered-To: freebsd-net@freebsd.org Received: from elvis.mu.org (elvis.mu.org [216.33.66.196]) by hub.freebsd.org (Postfix) with ESMTP id 6BD0737B401 for ; Tue, 7 Aug 2001 21:57:44 -0700 (PDT) (envelope-from bright@elvis.mu.org) Received: by elvis.mu.org (Postfix, from userid 1192) id 815B681D05; Tue, 7 Aug 2001 23:57:44 -0500 (CDT) Date: Tue, 7 Aug 2001 23:57:44 -0500 From: Alfred Perlstein To: Christopher Ellwood Cc: freebsd-net@freebsd.org Subject: Re: Problem with Code Red II and HTTP Accept Filtering Message-ID: <20010807235744.A85642@elvis.mu.org> References: <20010807213844.N672-100000@diamond> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010807213844.N672-100000@diamond>; from chris+freebsd-net@silicon.net on Tue, Aug 07, 2001 at 09:42:22PM -0700 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org * Christopher Ellwood [010807 23:42] wrote: > The Code Red II worm seems to have a negative impact on FreeBSD machines > with HTTP Accept Filtering enabled either statically in the kernel or via > modules. > > The man page for accf_http states that: > > It prevents the application from receiving the connected descriptor via > accept() until either a full HTTP/1.0 or HTTP/1.1 HEAD or GET request has > been buffered by the kernel. > > What seems to be happening is Code Red II sends its 3.8K malformed > request, but the accept filter doesn't recognize this request as being > completed. So the connection sits in the established state with 3818 > bytes in the Receive Queue as shown in the following netstat: > > Proto Recv-Q Send-Q Local Address Foreign Address (state) > tcp4 3818 0 10.1.1.1.80 64.1.1.1.2932 ESTABLISHED > > If you get enough of these (about 20-30 on a machine with NMBCLUSTERS set > to 1024), your mbuf cluster pool becomes exhausted and network > transactions begin to fail. > > This inadvertent side affect of the Code Red worm suggests that it would > also be relatively easy to launch a denial of service attack against a > machine with HTTP accept filtering. > > This was observed on FreeBSD 4.3-RELEASE machine running both Apache > 1.3.19 and 1.3.20. This is somewhat true, however your machine seems to be configured quite poorly. Having a low amount of NMBCLUSTERS (1024) and at the same time keeping an unbounded (or at least large) listen queue (listen(fd,-1)) is not advised, especially when you are using accept filters. -- -Alfred Perlstein [alfred@freebsd.org] Ok, who wrote this damn function called '??'? And why do my programs keep crashing in it? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message