First off, you might be better posting this on the apache list (http://httpd.apache.org/userslist.html) since I think this primarily a server issue (or maybe mod_ssl) - not really openSSL...
Having said that, I can perhaps offer some hints as to what's going on: - 400 is a "Bad Request"... this occurs when the request doesn't follow the HTTP spec (e.g. not GET or POST or HEAD or whatever). - 408 is a timeout, usually in response to a request for a CGI program. The duration of the timeout is controlled by your "TimeOut" directive in httpd.conf. If you don't have one, the default is 300 sec - which is 5 minutes :-) Note that the report in the log occurs *after* the timeout has expired, so it is not that the "attacker" is sending something which generates a 400, then waiting 5 minutes then sending something else which generates a 408. What is happening is that the two requests are arriving simultaneously but that the response to the 408 request takes 5 minutes to be logged. This all means that the second request (leading to the 408) must be requesting a real CGI program on your server. Furthermore, the request is framed such that it causes the program to get stuck or in a loop or otherwise take longer than 5 minutes to respond. The fact that this causes apache to hang is very bad. - what is the program? - what does it do? - what is the request like? PS the "GET_CLIENT_MASTER_KEY:key arg too long" message looks like the trap against the buffer-overflow exploit in 0.9.6g. But this is being trapped and so I think you are safe against it. >-----Original Message----- >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] >Sent: Sonntag, 6. Oktober 2002 02:51 >To: [EMAIL PROTECTED] >Subject: apache and that whole "bugbear" thing > > > >Is this the right place to ask questions about the bugbear worm? > >On a Sun box, we upgraded openssl to 0.9.6g because of the potential >for the whole bugbear attack... I realize it's apparently targeted >at linux, but better safe then sorry... well, we've started getting >hit with what we think may be attacks... they're not getting through, >but they cause apache to lock up... it's very strange... the situation >seems to happen as follows: > >We get a couple http requests that return a "400" status... then the >server stops serving requests... then EXACTLY (every time) 5 minutes >later, to the second, we get a request that gives a 408 error from >the same IP, then apache needs to be restarted before it accepts any >further requests... > >until this morning, there has not been much information in the logs... >but this morning, there were some entries in the ssl_engine_log that >looked like this: > >[05/Oct/2002 02:55:42 00969] [error] SSL handshake timed out >(client 66.46.213.130, server XXX.XXX.com:443) >[05/Oct/2002 02:55:42 00969] [info] Connection to child 14 >established (server YYY.YYY.com:443, client 66.46.213.130) >[05/Oct/2002 02:55:42 00969] [info] Seeding PRNG with 1160 >bytes of entropy >[05/Oct/2002 02:55:42 00969] [error] SSL handshake failed >(server YYY.YYY.com:443, client 66.46.213.130) (OpenSSL >library error follows) >[05/Oct/2002 02:55:42 00969] [error] OpenSSL: >error:1406B458:SSL routines:GET_CLIENT_MASTER_KEY:key arg too long >[05/Oct/2002 02:55:42 00969] [info] Connection to child 14 >established (server XXX.XXX.com:443, client 66.46.213.130) >[05/Oct/2002 02:55:42 00969] [info] Seeding PRNG with 1160 >bytes of entropy > >66.46.213.130 was the ip address that gave the 400's and 408 this >time around (different IP each time)... > >If this is not the best place to ask about this, please point me in >the right direction... I'm starting to sweat with my boss breathing >down my next... this is a 24/7 production server, running critical >web applications that internal and external customers access >constantly... so any help towards an answer would be greatly >appreciated... > >Thanks. >Dan. > > >______________________________________________________________________ >OpenSSL Project http://www.openssl.org >User Support Mailing List [EMAIL PROTECTED] >Automated List Manager [EMAIL PROTECTED] > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
