From owner-freebsd-questions@FreeBSD.ORG Mon Jun 22 11:26:11 2009 Return-Path: Delivered-To: questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 860F61065686 for ; Mon, 22 Jun 2009 11:26:11 +0000 (UTC) (envelope-from mail25@bzerk.org) Received: from ei.bzerk.org (tunnel490.ipv6.xs4all.nl [IPv6:2001:888:10:1ea::2]) by mx1.freebsd.org (Postfix) with ESMTP id EFD028FC15 for ; Mon, 22 Jun 2009 11:26:10 +0000 (UTC) (envelope-from mail25@bzerk.org) Received: from ei.bzerk.org (BOFH@localhost [127.0.0.1]) by ei.bzerk.org (8.14.2/8.14.2) with ESMTP id n5MBQ7IQ080508 for ; Mon, 22 Jun 2009 13:26:07 +0200 (CEST) (envelope-from mail25@bzerk.org) Received: (from bulk@localhost) by ei.bzerk.org (8.14.2/8.14.2/Submit) id n5MBQ7DW080507 for questions@freebsd.org; Mon, 22 Jun 2009 13:26:07 +0200 (CEST) (envelope-from mail25@bzerk.org) Date: Mon, 22 Jun 2009 13:26:07 +0200 From: Ruben de Groot To: questions@freebsd.org Message-ID: <20090622112607.GA80249@ei.bzerk.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.2.3i X-Spam-Status: No, score=-0.8 required=5.0 tests=ALL_TRUSTED,J_CHICKENPOX_83 autolearn=no version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on ei.bzerk.org X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.0.1 (ei.bzerk.org [127.0.0.1]); Mon, 22 Jun 2009 13:26:10 +0200 (CEST) Cc: Subject: slowloris, accf_http and POST requests X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Jun 2009 11:26:11 -0000 Hi, Can enybody explain why the http accept filter only works on GET/HEAD requests? The reason I ask is I was checking up on the slowloris DOS tool (http://ha.ckers.org/slowloris/slowloris.pl) and, like others before me, found that the -httpready switch (which uses POST instead of GET) renders the accf_http module useless as a protection against this kind of attack. Recompiling the module for caching POST requests as well (see small patch below) seems to work. At least the slowloris tool can no longer be used to DOS apache. Also, I've checked that CGI script using POST still work. But I hesitate to go and use this in production. There must have been a reason why POST was not implemented in the http accept filter and doing this might break things? Ruben # cd /usr/src/sys/netinet # diff -u accf_http.c.orig accf_http.c --- accf_http.c.orig 2007-11-11 13:32:12.000000000 +0000 +++ accf_http.c 2009-06-22 10:42:35.000000000 +0000 @@ -38,7 +38,7 @@ #include #include -/* check for GET/HEAD */ +/* check for GET/HEAD/POST */ static void sohashttpget(struct socket *so, void *arg, int waitflag); /* check for HTTP/1.0 or HTTP/1.1 */ static void soparsehttpvers(struct socket *so, void *arg, int waitflag); @@ -178,6 +178,9 @@ case 'H': STRSETUP(cmp, cmplen, "EAD "); break; + case 'P': + STRSETUP(cmp, cmplen, "OST "); + break; default: goto fallout; } # cd /usr/src/sys/modules/accf_http/ # make && make install # kldload accf_http