my opinion is don't use accept filter, it can become DOS attack target.
sending a big http header and don't complete it, it does not let apache know a
connection
is already made and there is no timeout counter like which in Apache server.
using an accept filter can not get so much benifit.
--
David Xu
----- Original Message -----
From: "Christopher Ellwood" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, August 08, 2001 12:42 PM
Subject: Problem with Code Red II and HTTP Accept Filtering
> The Code Red II worm seems to have a negative impact on FreeBSD machines
> with HTTP Accept Filtering enabled either statically in the kernel or via
> modules.
>
> The man page for accf_http states that:
>
> It prevents the application from receiving the connected descriptor via
> accept() until either a full HTTP/1.0 or HTTP/1.1 HEAD or GET request has
> been buffered by the kernel.
>
> What seems to be happening is Code Red II sends its 3.8K malformed
> request, but the accept filter doesn't recognize this request as being
> completed. So the connection sits in the established state with 3818
> bytes in the Receive Queue as shown in the following netstat:
>
> Proto Recv-Q Send-Q Local Address Foreign Address (state)
> tcp4 3818 0 10.1.1.1.80 64.1.1.1.2932 ESTABLISHED
>
> If you get enough of these (about 20-30 on a machine with NMBCLUSTERS set
> to 1024), your mbuf cluster pool becomes exhausted and network
> transactions begin to fail.
>
> This inadvertent side affect of the Code Red worm suggests that it would
> also be relatively easy to launch a denial of service attack against a
> machine with HTTP accept filtering.
>
> This was observed on FreeBSD 4.3-RELEASE machine running both Apache
> 1.3.19 and 1.3.20.
>
> Regards,
>
> - Christopher Ellwood
> Network Security Consultant
>
>
> To Unsubscribe: send mail to [EMAIL PROTECTED]
> with "unsubscribe freebsd-net" in the body of the message
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message
