Re: Xitami Connection Flood Server Termination Vulnerability

[mattmurphy]

In-Reply-To: <[EMAIL PROTECTED]>

>Although i tried it using a perl script flooding the GET requests in a
>loop, instead of using browser quickie, but yeah i had the maximum 
>number of concurrent sessions value set quiet low, as it was 100 only.
>

A little correction on the connection setting.  My config was reset during 
maintenence, and was actually set at *infinite* connections, but Xitami ceased to 
respond at about 11 connections on my box.  The denial of service condition appears to 
be an overloaded piece of code in a library/core module.  It appears to be max-ed out 
when Xitami stops checking for new session requests.  However, what puzzles me is 
*why* the service is halting checks when it has no connection limit set.

Re: Xitami Connection Flood Server Termination Vulnerability

[Muhammad Faisal Rauf Danka]

I tried the same method as you suggested on Xitami 2.5b5 for Win32, 
but my results are a bit different.

I recieved following errors:

Service Unavailable error 
It Ignores session request 

Although i tried it using a perl script flooding the GET requests in a
loop, instead of using browser quickie, but yeah i had the maximum 
number of concurrent sessions value set quiet low, as it was 100 only.

But if the bug is in the method of identifying the max sessions and 
responding to it, then it should work even if it's set as 5.

So is it specific to some limit like more than $value number of
sessions, or could it be your hardware resources running out while your
tests?

Regards, 
-
Muhammad Faisal Rauf Danka

Chief Technology Officer
Gem Internet Services (Pvt) Ltd.
web: www.gem.net.pk

_
---
[ATTITUDEX.COM]
http://www.attitudex.com/
---

_
Promote your group and strengthen ties to your members with [EMAIL PROTECTED] by 
Everyone.net  http://www.everyone.net/?btn=tag