From owner-freebsd-questions@FreeBSD.ORG Tue Jun 23 14:33:54 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 093BF106568B for ; Tue, 23 Jun 2009 14:33:54 +0000 (UTC) (envelope-from freebsd-questions@m.gmane.org) Received: from ciao.gmane.org (main.gmane.org [80.91.229.2]) by mx1.freebsd.org (Postfix) with ESMTP id 80ACC8FC08 for ; Tue, 23 Jun 2009 14:33:53 +0000 (UTC) (envelope-from freebsd-questions@m.gmane.org) Received: from list by ciao.gmane.org with local (Exim 4.43) id 1MJ74K-0005NR-6U for freebsd-questions@freebsd.org; Tue, 23 Jun 2009 14:33:52 +0000 Received: from pool-68-239-65-138.res.east.verizon.net ([68.239.65.138]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Tue, 23 Jun 2009 14:33:52 +0000 Received: from nightrecon by pool-68-239-65-138.res.east.verizon.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Tue, 23 Jun 2009 14:33:52 +0000 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-questions@freebsd.org From: Michael Powell Followup-To: gmane.os.freebsd.questions Date: Tue, 23 Jun 2009 10:35:30 -0400 Lines: 51 Message-ID: References: <20090622112607.GA80249@ei.bzerk.org> <200906220845.23920.npapke@acm.org> <20090622171516.GA82862@ei.bzerk.org> <20090622223556.GC76275@dan.emsphone.com> <20090623083930.GA90810@ei.bzerk.org> Mime-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: 7Bit X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: pool-68-239-65-138.res.east.verizon.net Sender: news Subject: Re: slowloris, accf_http and POST requests X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: nightrecon@verizon.net List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Jun 2009 14:33:54 -0000 Ruben de Groot wrote: > On Mon, Jun 22, 2009 at 05:35:56PM -0500, Dan Nelson typed: >> In the last episode (Jun 22), Ruben de Groot said: >> > >> > My main concern here is if applying the trivial patch I posted would >> > break anything in the http protocol layer. And if not, why isn't the >> > POST method included in the http accept filter in the first place? >> >> The filter wasn't designed to be an anti-DOS tool; it was an optimization >> to >> save some context switches at the beginning of every request. POSTs are > > I know this. But in this particular case, it *works* as an anti-DOS tool. > And a pretty good one too. > >> infrequent, always include extra trailing data after the headers, and end >> up doing more processing at the server end than plain GET or HEADs, so >> buffering the first line of the request doesn't really help much. > > Well, it helps against this slowloris script. And I don't see it costing > much. > >> You're better off adding a request-max-time limit to your webserver, or >> doing random-drops of existing connections if you get close to your fd or >> thread limit. > > I'm exploring these options as well, but they have their own drawbacks. > > Anyway, since it doesn't look like I'm breaking anything by buffering the > POST headers, I'm gonna maintain this as a local patch until something > better comes along. > I was interested to follow this, as I was under the impression http accept filter was more for performance rather than security. Since I use it anyway I was happy to learn of these facts. Although not directly related, per se, you may also be interested in: http://www.modsecurity.org/projects/modsecurity/apache/index.html It can be useful in narrowing the scope of allowable POST content to mitigate SQL injection techniques. The default pattern is overly broad but if you are only intent on tightening up one web app on one server it is possible to tune it to be more specific. Not a magic bullet, but every layer in the onion helps. -Mike