>>>>> On 2007-03-05 13:24 PST, Joe Orton writes:
Joe> On Mon, Mar 05, 2007 at 09:33:56PM +0100, Ruediger Pluem wrote:
>> On 03/03/2007 05:47 AM, Karl Chen wrote: present. Also
>> other issues like noise in the log file. I've also seen
>> people complaining that "GET /" might incur the cost of
>> dynamic content generation for /.
>>
>> Hm. Just thinking loud. Can we avoid this if we replace GET
>> / with OPTIONS /?
Joe> Doing "OPTIONS *" as Bill notes is probably the best
Joe> option available for the dummy connection, though it will
Joe> still be confusing for users (possible more confusing,
Joe> since that request rarely if ever seen "in the wild").
Thanks for the input everyone and pointers to the bugzilla issues.
"OPTIONS *" is a definite improvement over "GET /" for
performance.
What about the NOOP idea? If the connection could be reliably
detected to be coming from [EMAIL PROTECTED], would there still be
a risk of an attack going unnoticed?
It seems reasonable to elide those messages by default, or at
least write them to a different log file. I'd say the risk of a
real attack getting drowned in noise is currently higher than a
kernel that allows spoofing TCP connections from localhost.
Apache could also look at the srcport to check that it's coming
from the httpd process+user. And it could create a nonce at
startup and only elide messages with the proper nonce. Lots of
ways to authenticate yourself to yourself :)
--
Karl 2007-03-16 19:18
