From owner-freebsd-net Tue Aug 7 22:18:21 2001 Delivered-To: freebsd-net@freebsd.org Received: from mail.viasoft.com.cn (unknown [61.153.1.177]) by hub.freebsd.org (Postfix) with ESMTP id 4806037B405 for ; Tue, 7 Aug 2001 22:18:13 -0700 (PDT) (envelope-from bsddiy@163.net) Received: from William ([192.168.1.98]) by mail.viasoft.com.cn (8.9.3/8.9.3) with SMTP id NAA07693; Wed, 8 Aug 2001 13:20:44 +0800 Message-ID: <004401c11fc9$25a08950$6201a8c0@William> From: "David Xu" To: "Christopher Ellwood" , References: <20010807213844.N672-100000@diamond> Subject: Re: Problem with Code Red II and HTTP Accept Filtering Date: Wed, 8 Aug 2001 13:15:31 +0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6700 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org my opinion is don't use accept filter, it can become DOS attack target. sending a big http header and don't complete it, it does not let apache = know a connection=20 is already made and there is no timeout counter like which in Apache = server. using an accept filter can not get so much benifit. -- David Xu ----- Original Message -----=20 From: "Christopher Ellwood" To: Sent: Wednesday, August 08, 2001 12:42 PM Subject: Problem with Code Red II and HTTP Accept Filtering > The Code Red II worm seems to have a negative impact on FreeBSD = machines > with HTTP Accept Filtering enabled either statically in the kernel or = via > modules. >=20 > The man page for accf_http states that: >=20 > It prevents the application from receiving the connected = descriptor via > accept() until either a full HTTP/1.0 or HTTP/1.1 HEAD or GET = request has > been buffered by the kernel. >=20 > What seems to be happening is Code Red II sends its 3.8K malformed > request, but the accept filter doesn't recognize this request as being > completed. So the connection sits in the established state with 3818 > bytes in the Receive Queue as shown in the following netstat: >=20 > Proto Recv-Q Send-Q Local Address Foreign Address = (state) > tcp4 3818 0 10.1.1.1.80 64.1.1.1.2932 = ESTABLISHED >=20 > If you get enough of these (about 20-30 on a machine with NMBCLUSTERS = set > to 1024), your mbuf cluster pool becomes exhausted and network > transactions begin to fail. >=20 > This inadvertent side affect of the Code Red worm suggests that it = would > also be relatively easy to launch a denial of service attack against a > machine with HTTP accept filtering. >=20 > This was observed on FreeBSD 4.3-RELEASE machine running both Apache > 1.3.19 and 1.3.20. >=20 > Regards, >=20 > - Christopher Ellwood > Network Security Consultant >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message