From owner-freebsd-questions@FreeBSD.ORG Mon Jun 22 17:15:24 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B5EA7106564A for ; Mon, 22 Jun 2009 17:15:24 +0000 (UTC) (envelope-from mail25@bzerk.org) Received: from ei.bzerk.org (tunnel490.ipv6.xs4all.nl [IPv6:2001:888:10:1ea::2]) by mx1.freebsd.org (Postfix) with ESMTP id 275F88FC1C for ; Mon, 22 Jun 2009 17:15:23 +0000 (UTC) (envelope-from mail25@bzerk.org) Received: from ei.bzerk.org (BOFH@localhost [127.0.0.1]) by ei.bzerk.org (8.14.2/8.14.2) with ESMTP id n5MHFGRU083110; Mon, 22 Jun 2009 19:15:16 +0200 (CEST) (envelope-from mail25@bzerk.org) Received: (from bulk@localhost) by ei.bzerk.org (8.14.2/8.14.2/Submit) id n5MHFGsa083109; Mon, 22 Jun 2009 19:15:16 +0200 (CEST) (envelope-from mail25@bzerk.org) Date: Mon, 22 Jun 2009 19:15:16 +0200 From: Ruben de Groot To: Norbert Papke Message-ID: <20090622171516.GA82862@ei.bzerk.org> Mail-Followup-To: Ruben de Groot , Norbert Papke , freebsd-questions@freebsd.org References: <20090622112607.GA80249@ei.bzerk.org> <200906220845.23920.npapke@acm.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200906220845.23920.npapke@acm.org> User-Agent: Mutt/1.4.2.3i X-Spam-Status: No, score=-4.4 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00 autolearn=ham version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on ei.bzerk.org X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.0.1 (ei.bzerk.org [127.0.0.1]); Mon, 22 Jun 2009 19:15:19 +0200 (CEST) Cc: freebsd-questions@freebsd.org Subject: Re: slowloris, accf_http and POST requests X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Jun 2009 17:15:25 -0000 On Mon, Jun 22, 2009 at 08:45:23AM -0700, Norbert Papke typed: > On June 22, 2009, Ruben de Groot wrote: > > Can enybody explain why the http accept filter only works on GET/HEAD > > requests? > > > > The reason I ask is I was checking up on the slowloris DOS tool > > (http://ha.ckers.org/slowloris/slowloris.pl) and, like others before me, > > found that the -httpready switch (which uses POST instead of GET) renders > > the accf_http module useless as a protection against this kind of attack. > > With the POST request, the client sends additional data after the header. > This additonal data is the form data (the x-www-form-urlencoded encoded > name-value pairs). The filter will allow the request to proceed to the > application after the header as been received but before the form data has > been received. > > A "slowloris" attack could exploit this fact by sending a complete header but > then slowing doling out the form data. Apparently, the current incarnation of the slowloris script doesn't do that, so adding POST to the methods handled by the http accept filter would protect me from script kiddies who want to attack my servers by this method. My main concern here is if applying the trivial patch I posted would break anything in the http protocol layer. And if not, why isn't the POST method included in the http accept filter in the first place? > To protect against this scenario, the filter would need to be modified to > collect the form data as well. Of course, it doesn't stop there. The filter > would also have to deal with multi-part forms. Yes. It's an ongoing struggle. And the filter would probably soon become too complex to maintain in a kernel module :( > Disclaimer: This is based on cursory reading of the code. Thank you for you input. Ruben