Bugtraq mailing list archives

Re: a cheesy Apache / IIS DoS vuln (+a question)

From: "William A. Rowe, Jr." <wrowe () rowe-clan net>
Date: Tue, 09 Jan 2007 00:15:02 -0600

bugtraq wrote:


a quick fix for this can be available at least on bsd, there is accf_http 
that can be modified not to pass the connection to apache until a full request
is read (either get or post, full, not just the first get request header, 
of course this can be even worst for a lot of post data).


For what it is worth, Apache 2.2.x and later introduce support for http accept()
filtering on platforms which support httpfilter.  Since Apache 2.0.x, AcceptEx
is supported on Win32 to pend accept() for at least the initial request payload.

Of course this is not without some resource utilization for the incomplete
request payloads, but at least it does offload the resources from the web
server itself to the kernel socket layer.

Bill

Current thread:

Re: a cheesy Apache / IIS DoS vuln (+a question), (continued)
- Re: a cheesy Apache / IIS DoS vuln (+a question) William A. Rowe, Jr. (Jan 04)
  - Re: a cheesy Apache / IIS DoS vuln (+a question) Michal Zalewski (Jan 04)
    - Re: a cheesy Apache / IIS DoS vuln (+a question) William A. Rowe, Jr. (Jan 04)
    - Re: a cheesy Apache / IIS DoS vuln (+a question) Michal Zalewski (Jan 04)
    - Re: a cheesy Apache / IIS DoS vuln (+a question) Michal Zalewski (Jan 04)
  - Re: a cheesy Apache / IIS DoS vuln (+a question) Gadi Evron (Jan 08)
- Re: a cheesy Apache / IIS DoS vuln (+a question) Pieter de Boer (Jan 04)
  - Re: a cheesy Apache / IIS DoS vuln (+a question) Rob Sherwood (Jan 04)
- Re: a cheesy Apache / IIS DoS vuln (+a question) Siim Põder (Jan 04)
- Re: a cheesy Apache / IIS DoS vuln (+a question) bugtraq (Jan 08)
  - Re: a cheesy Apache / IIS DoS vuln (+a question) William A. Rowe, Jr. (Jan 09)
    - Re: a cheesy Apache / IIS DoS vuln (+a question) bugtraq (Jan 10)