slowloris, accf_http and POST requests
Norbert Papke
npapke at acm.org
Mon Jun 22 16:14:13 UTC 2009
On June 22, 2009, Ruben de Groot wrote:
> Can enybody explain why the http accept filter only works on GET/HEAD
> requests?
>
> The reason I ask is I was checking up on the slowloris DOS tool
> (http://ha.ckers.org/slowloris/slowloris.pl) and, like others before me,
> found that the -httpready switch (which uses POST instead of GET) renders
> the accf_http module useless as a protection against this kind of attack.
With the POST request, the client sends additional data after the header.
This additonal data is the form data (the x-www-form-urlencoded encoded
name-value pairs). The filter will allow the request to proceed to the
application after the header as been received but before the form data has
been received.
A "slowloris" attack could exploit this fact by sending a complete header but
then slowing doling out the form data.
To protect against this scenario, the filter would need to be modified to
collect the form data as well. Of course, it doesn't stop there. The filter
would also have to deal with multi-part forms.
Disclaimer: This is based on cursory reading of the code.
Cheers,
-- Norbert Papke.
npapke at acm.org
http://saveournet.ca
Protecting your Internet's level playing field
More information about the freebsd-questions
mailing list