Date: Mon, 22 Jun 2009 13:26:07 +0200 From: Ruben de Groot <mail25@bzerk.org> To: questions@freebsd.org Subject: slowloris, accf_http and POST requests Message-ID: <20090622112607.GA80249@ei.bzerk.org>
next in thread | raw e-mail | index | archive | help
Hi, Can enybody explain why the http accept filter only works on GET/HEAD requests? The reason I ask is I was checking up on the slowloris DOS tool (http://ha.ckers.org/slowloris/slowloris.pl) and, like others before me, found that the -httpready switch (which uses POST instead of GET) renders the accf_http module useless as a protection against this kind of attack. Recompiling the module for caching POST requests as well (see small patch below) seems to work. At least the slowloris tool can no longer be used to DOS apache. Also, I've checked that CGI script using POST still work. But I hesitate to go and use this in production. There must have been a reason why POST was not implemented in the http accept filter and doing this might break things? Ruben # cd /usr/src/sys/netinet # diff -u accf_http.c.orig accf_http.c --- accf_http.c.orig 2007-11-11 13:32:12.000000000 +0000 +++ accf_http.c 2009-06-22 10:42:35.000000000 +0000 @@ -38,7 +38,7 @@ #include <sys/sysctl.h> #include <sys/socketvar.h> -/* check for GET/HEAD */ +/* check for GET/HEAD/POST */ static void sohashttpget(struct socket *so, void *arg, int waitflag); /* check for HTTP/1.0 or HTTP/1.1 */ static void soparsehttpvers(struct socket *so, void *arg, int waitflag); @@ -178,6 +178,9 @@ case 'H': STRSETUP(cmp, cmplen, "EAD "); break; + case 'P': + STRSETUP(cmp, cmplen, "OST "); + break; default: goto fallout; } # cd /usr/src/sys/modules/accf_http/ # make && make install # kldload accf_http
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090622112607.GA80249>