On Wednesday, September 26, 2001, at 11:58 , Simon Rosenthal wrote:
> I'm not sure that any mod_perl handlers are dispatched until the whole
> request is received, so you may have to deal with this at the core
> Apache level.
I was expecting as much, just hoping it wasn't true. ;)
>
> I think the following is your best bet (from
> http://httpd.apache.org/docs/mod/core.html#timeout )
>
>> TimeOut directive
Yeah, the trick is I need to do a per-IP rule and not take out
high-latency users.
> We've experienced this kind of attack inadvertently (as the result of
> a totally misconfigured HTTP client app which froze in the middle of
> sending an HTTP request ;=) but I wasn't aware that there were known
> attacks based on that.
Known as in experienced in the wild, no, but folks on nanog are talking
about strange log file entries. For instance I see blocks of 408's at
very very regular intervals from the same clients, of unknown origin. I
wrote a proof-of-concept exploit that takes out my (stock config) Apache
server for 6 minutes (from one client), and the math says that 30-or-so
machines in a DDOS would tie up my Apache indefinitely no matter how I
configured it (anything that would reasonably allow normal users to
connect successfully). I got a higher hit frequency from nimda than
that, so everything is in place for it to happen. I'm attempting the
ounce of prevention.
I wrote to the apache security list about it, with a proposed fix, but
have received no response, so I'm investigating doing it myself. I
don't think I know apache internals well enough, though I'm not bad with
mod_perl. If anyone good with apache c is interested I'm happy to share
full details off-list.
-Bill
-----
Bill McGonigle
Research & Development
Medical Media Systems, Inc.
http://www.medicalmedia.com
+1.603.298.5509x329