Date: Tue, 23 Jun 2009 10:35:30 -0400 From: Michael Powell <nightrecon@verizon.net> To: freebsd-questions@freebsd.org Subject: Re: slowloris, accf_http and POST requests Message-ID: <h1qp40$6an$1@ger.gmane.org> References: <20090622112607.GA80249@ei.bzerk.org> <200906220845.23920.npapke@acm.org> <20090622171516.GA82862@ei.bzerk.org> <20090622223556.GC76275@dan.emsphone.com> <20090623083930.GA90810@ei.bzerk.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Ruben de Groot wrote: > On Mon, Jun 22, 2009 at 05:35:56PM -0500, Dan Nelson typed: >> In the last episode (Jun 22), Ruben de Groot said: >> > >> > My main concern here is if applying the trivial patch I posted would >> > break anything in the http protocol layer. And if not, why isn't the >> > POST method included in the http accept filter in the first place? >> >> The filter wasn't designed to be an anti-DOS tool; it was an optimization >> to >> save some context switches at the beginning of every request. POSTs are > > I know this. But in this particular case, it *works* as an anti-DOS tool. > And a pretty good one too. > >> infrequent, always include extra trailing data after the headers, and end >> up doing more processing at the server end than plain GET or HEADs, so >> buffering the first line of the request doesn't really help much. > > Well, it helps against this slowloris script. And I don't see it costing > much. > >> You're better off adding a request-max-time limit to your webserver, or >> doing random-drops of existing connections if you get close to your fd or >> thread limit. > > I'm exploring these options as well, but they have their own drawbacks. > > Anyway, since it doesn't look like I'm breaking anything by buffering the > POST headers, I'm gonna maintain this as a local patch until something > better comes along. > I was interested to follow this, as I was under the impression http accept filter was more for performance rather than security. Since I use it anyway I was happy to learn of these facts. Although not directly related, per se, you may also be interested in: http://www.modsecurity.org/projects/modsecurity/apache/index.html It can be useful in narrowing the scope of allowable POST content to mitigate SQL injection techniques. The default pattern is overly broad but if you are only intent on tightening up one web app on one server it is possible to tune it to be more specific. Not a magic bullet, but every layer in the onion helps. -Mike
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?h1qp40$6an$1>