From owner-freebsd-questions@FreeBSD.ORG Mon Jun 22 15:45:26 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 644E1106564A for ; Mon, 22 Jun 2009 15:45:26 +0000 (UTC) (envelope-from npapke@acm.org) Received: from idcmail-mo1so.shaw.ca (idcmail-mo1so.shaw.ca [24.71.223.10]) by mx1.freebsd.org (Postfix) with ESMTP id 218908FC18 for ; Mon, 22 Jun 2009 15:45:25 +0000 (UTC) (envelope-from npapke@acm.org) Received: from pd4ml2so-ssvc.prod.shaw.ca ([10.0.141.136]) by pd2mo1so-svcs.prod.shaw.ca with ESMTP; 22 Jun 2009 09:45:25 -0600 X-Cloudmark-SP-Filtered: true X-Cloudmark-SP-Result: v=1.0 c=0 a=VNJVXYhBAAAA:8 a=lvbMJxvVAAAA:8 a=_CijBpxSZzowcfLbyr8A:9 a=1hVadUZSrD9vpyNvy04A:7 a=HjtQEtfysMneRCBrstQ7NtF7LMAA:4 a=nAPXUAfsBmEA:10 a=mC6ZnEx5j04A:10 Received: from unknown (HELO proven.lan) ([24.85.241.34]) by pd4ml2so-dmz.prod.shaw.ca with ESMTP; 22 Jun 2009 09:45:25 -0600 Received: from proven.lan (localhost [127.0.0.1]) by proven.lan (8.14.3/8.14.3) with ESMTP id n5MFjOH5078637; Mon, 22 Jun 2009 08:45:24 -0700 (PDT) (envelope-from npapke@acm.org) Received: from localhost (localhost [[UNIX: localhost]]) by proven.lan (8.14.3/8.14.3/Submit) id n5MFjOOQ078636; Mon, 22 Jun 2009 08:45:24 -0700 (PDT) (envelope-from npapke@acm.org) X-Authentication-Warning: proven.lan: npapke set sender to npapke@acm.org using -f From: Norbert Papke Organization: Archaeological Filing To: freebsd-questions@freebsd.org Date: Mon, 22 Jun 2009 08:45:23 -0700 User-Agent: KMail/1.9.10 References: <20090622112607.GA80249@ei.bzerk.org> In-Reply-To: <20090622112607.GA80249@ei.bzerk.org> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200906220845.23920.npapke@acm.org> Cc: Ruben de Groot , questions@freebsd.org Subject: Re: slowloris, accf_http and POST requests X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Jun 2009 15:45:26 -0000 On June 22, 2009, Ruben de Groot wrote: > Can enybody explain why the http accept filter only works on GET/HEAD > requests? > > The reason I ask is I was checking up on the slowloris DOS tool > (http://ha.ckers.org/slowloris/slowloris.pl) and, like others before me, > found that the -httpready switch (which uses POST instead of GET) renders > the accf_http module useless as a protection against this kind of attack. With the POST request, the client sends additional data after the header. This additonal data is the form data (the x-www-form-urlencoded encoded name-value pairs). The filter will allow the request to proceed to the application after the header as been received but before the form data has been received. A "slowloris" attack could exploit this fact by sending a complete header but then slowing doling out the form data. To protect against this scenario, the filter would need to be modified to collect the form data as well. Of course, it doesn't stop there. The filter would also have to deal with multi-part forms. Disclaimer: This is based on cursory reading of the code. Cheers, -- Norbert Papke. npapke@acm.org http://saveournet.ca Protecting your Internet's level playing field