lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 09 Jan 2007 00:15:02 -0600
From: "William A. Rowe, Jr." <wrowe@...e-clan.net>
To: bugtraq@...urityfocus.com
Subject: Re: a cheesy Apache / IIS DoS vuln (+a question)

bugtraq wrote:
> 
> a quick fix for this can be available at least on bsd, there is accf_http 
> that can be modified not to pass the connection to apache until a full request
> is read (either get or post, full, not just the first get request header, 
> of course this can be even worst for a lot of post data).

For what it is worth, Apache 2.2.x and later introduce support for http accept()
filtering on platforms which support httpfilter.  Since Apache 2.0.x, AcceptEx
is supported on Win32 to pend accept() for at least the initial request payload.

Of course this is not without some resource utilization for the incomplete
request payloads, but at least it does offload the resources from the web
server itself to the kernel socket layer.

Bill

Powered by blists - more mailing lists