* Christopher Ellwood <[EMAIL PROTECTED]> [010807 23:42] wrote:
> The Code Red II worm seems to have a negative impact on FreeBSD machines
> with HTTP Accept Filtering enabled either statically in the kernel or via
> modules.
>
> The man page for accf_http states that:
>
> It prevents the application from receiving the connected descriptor via
> accept() until either a full HTTP/1.0 or HTTP/1.1 HEAD or GET request has
> been buffered by the kernel.
>
> What seems to be happening is Code Red II sends its 3.8K malformed
> request, but the accept filter doesn't recognize this request as being
> completed. So the connection sits in the established state with 3818
> bytes in the Receive Queue as shown in the following netstat:
>
> Proto Recv-Q Send-Q Local Address Foreign Address (state)
> tcp4 3818 0 10.1.1.1.80 64.1.1.1.2932 ESTABLISHED
>
> If you get enough of these (about 20-30 on a machine with NMBCLUSTERS set
> to 1024), your mbuf cluster pool becomes exhausted and network
> transactions begin to fail.
>
> This inadvertent side affect of the Code Red worm suggests that it would
> also be relatively easy to launch a denial of service attack against a
> machine with HTTP accept filtering.
>
> This was observed on FreeBSD 4.3-RELEASE machine running both Apache
> 1.3.19 and 1.3.20.
This is somewhat true, however your machine seems to be configured
quite poorly.
Having a low amount of NMBCLUSTERS (1024) and at the same time keeping
an unbounded (or at least large) listen queue (listen(fd,-1)) is
not advised, especially when you are using accept filters.
--
-Alfred Perlstein [[EMAIL PROTECTED]]
Ok, who wrote this damn function called '??'?
And why do my programs keep crashing in it?
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message
