From owner-freebsd-questions@FreeBSD.ORG Tue Jun 23 19:58:43 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4DD9D1065674 for ; Tue, 23 Jun 2009 19:58:43 +0000 (UTC) (envelope-from mail25@bzerk.org) Received: from ei.bzerk.org (tunnel490.ipv6.xs4all.nl [IPv6:2001:888:10:1ea::2]) by mx1.freebsd.org (Postfix) with ESMTP id AEB8A8FC13 for ; Tue, 23 Jun 2009 19:58:42 +0000 (UTC) (envelope-from mail25@bzerk.org) Received: from ei.bzerk.org (BOFH@localhost [127.0.0.1]) by ei.bzerk.org (8.14.2/8.14.2) with ESMTP id n5NJwacE096432; Tue, 23 Jun 2009 21:58:37 +0200 (CEST) (envelope-from mail25@bzerk.org) Received: (from bulk@localhost) by ei.bzerk.org (8.14.2/8.14.2/Submit) id n5NJwaW4096431; Tue, 23 Jun 2009 21:58:36 +0200 (CEST) (envelope-from mail25@bzerk.org) Date: Tue, 23 Jun 2009 21:58:35 +0200 From: Ruben de Groot To: Fabian Keil Message-ID: <20090623195835.GA95137@ei.bzerk.org> Mail-Followup-To: Ruben de Groot , Fabian Keil , freebsd-questions@freebsd.org References: <20090622112607.GA80249@ei.bzerk.org> <200906220845.23920.npapke@acm.org> <20090622171516.GA82862@ei.bzerk.org> <20090622223556.GC76275@dan.emsphone.com> <20090623083930.GA90810@ei.bzerk.org> <20090623172319.1343511f@fabiankeil.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20090623172319.1343511f@fabiankeil.de> User-Agent: Mutt/1.4.2.3i X-Spam-Status: No, score=-4.4 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00 autolearn=ham version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on ei.bzerk.org X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.0.1 (ei.bzerk.org [127.0.0.1]); Tue, 23 Jun 2009 21:58:40 +0200 (CEST) Cc: freebsd-questions@freebsd.org Subject: Re: slowloris, accf_http and POST requests X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Jun 2009 19:58:43 -0000 On Tue, Jun 23, 2009 at 05:23:19PM +0200, Fabian Keil typed: > Ruben de Groot wrote: > > > On Mon, Jun 22, 2009 at 05:35:56PM -0500, Dan Nelson typed: > > > In the last episode (Jun 22), Ruben de Groot said: > > > > > > > > My main concern here is if applying the trivial patch I posted would > > > > break anything in the http protocol layer. And if not, why isn't the > > > > POST method included in the http accept filter in the first place? > > > > > > The filter wasn't designed to be an anti-DOS tool; it was an > > > optimization to save some context switches at the beginning of every > > > request. POSTs are > > > > I know this. But in this particular case, it *works* as an anti-DOS > > tool. And a pretty good one too. > > How did you verify this? By using the slowloris script against my own servers. Running the script from a single client pc: ./slowloris.pl -dns myserver.domain.tld -port 80 -timeout 2000 -num 500 -tcpto 5 -httpready brings apache to its knees. No more connections are accepted as there are allready MaxClients processes running (150) and they're all just sitting there waiting. With accf_http just slightly adjusted as posted, nothing happens at all. Apache just doesn't see the connections, even with multiple clients running the DOS. (Off course, there'll be memory buffers in the kernel filling, but from that I haven't seen any negative side effects yet) > accf_http doesn't require a complete request but will also > pass the connection to the userland if its buffer is full. Haven't seen that, but it sounds sane. > If you continue to send headers that will happen eventually and if > you're impatient, you simply have to send a bit more headers at the > beginning to reach the application faster. Yes. A real and prolonged DDOS is hard to counter. And the accept filter was not designed for that. It was just an observation about this particular script. cheers, Ruben