Andres >> Exactly what I was thinking Carlos >> I have to disagree with pulling the banner to decide if it is one of the servers affected. If a check can be written to generically detect the existence of this architecture issue it should end there. There is no value in adding a weak check to supplement a string check. Configuration settings, Web Application Firewalls, and maybe even IPS/IDS devices could impact the exploitablity of this vulnerability.
Cheers, Jeremy On Sun, Jun 28, 2009 at 10:58 AM, Carlos Perez <[email protected]>wrote: > I think you are right Andres that is a good check to make with the ID, > Apache in specific the default is 5 minutes, which I personally consider to > be to long. I believe that the plug-in should check not only for the amount > of time of the connection but also for the server banner to see if it is one > of the different types of servers affected. I covered this in the Pauldotcom > podcast and on WhitehatWorld webcast last week. Here is some of the info I > presented on this: > > > - First covered in 2005 in Apache Security under "Programming Model > Attacks" > - The attack was also described by Adrian Ilarion Ciobanu in an Email > to Bugtraq in 2007 > - 2009 Rsnake releases the first public tool called slowloris in > http://ha.ckers.org/slowloris/ > - Servers Affected: > - Apache 1.x , Apache 2.x, dhttpd, GoAhead WebServer , Squid, > Others…. > - Not Affected: > - IIS6.0, IIS7.0, lighttpd, nginx, Cherokee, others... > - The TimeOut Directive, described at > http://httpd.apache.org/docs/2.2/mod/core.html#timeout change from 5 > minutes to a lower value (10 seconds, 30 seconds.. Test!) (This is what I > was referring mOses) > - Use a module, such as mod_limitipconn, to limits the number of > connections from one IP address > - Monitor your connections for spikes in activity and large amounts of > sessions from a single source. > > for those that are behind a Cisco CSS the content switch will mitigate the > attack. > http://www.cupfighter.net/index.php/2009/06/slowloris-css/ > > Larry from Pauldotcom has been testing a some embedded devices and he might > share other devices that are affected. > > > On Sun, Jun 28, 2009 at 10:27 AM, Andres Riancho<[email protected]> > wrote: > > mOses, > > > > On Fri, Jun 26, 2009 at 9:36 PM, mOses<[email protected]> > wrote: > >> > >> On Jun 26, 2009, at 7:51 PM, Jeremy Richards wrote: > >> > >>> Hello, > >>> > >>> I think that it should be possible to write some form of signature to > >>> detect this without actually performing a DoS. First , it should be > >>> mentions that the check would not determine the specific vulnerable > >>> application but the underlying architecture issue. > >>> > >>> To summarize the attack (please correct me if I'm wrong!): > >>> Create a sufficiently large number of open HTTP connections to saturate > >>> the connection pool. This results in the DoS condition (until > connections > >>> time out). This is not a TCP/IP layer attack but an application layer > >>> attack. > >>> > >>> If one was able to open (and keep open) a safe number of connections > for a > >>> specified threshold, one may be able to determine the existence of the > flaw. > >>> This would require additional testing and research of course. > >>> > >> > >> This is rather interesting possibility, the only question I have is, how > can > >> you tell that your session is still 'active' if you are not > communicating > >> with it at all? > > > > POST /index.php HTTP/1.1 > > Content-Length: 20 > > > > 0987654321<wait 40 seconds>0987654321 > > > > If you get an answer, then the connection was kept alive for at least > > 40 seconds, right? > > > > Cheers, > > > >>> Jeremy > >>> > >>> > >>> > >>> On Fri, Jun 26, 2009 at 5:54 PM, Andres Riancho < > [email protected]> > >>> wrote: > >>> Carlos, > >>> > >>> On Fri, Jun 26, 2009 at 6:17 PM, Carlos perez<[email protected]> > >>> wrote: > >>> > Slowloris is part of the architecture of apache not a bug so the only > >>> > way to > >>> > check if an admin took preventive measures for his specific > environent > >>> > would > >>> > be to check the apache.conf file > >>> > >>> But if the admin took preventive measures, can't I test it using black > >>> box? > >>> > >>> > Sent from my iPhone > >>> > > >>> > On Jun 26, 2009, at 3:25 PM, Andres Riancho < > [email protected]> > >>> > wrote: > >>> > > >>> >> List, > >>> >> > >>> >> Does anyone know if it's possible to test for the ""slowris > >>> >> vulnerability"" [0] without DoS'ing the web server? I was thinking > >>> >> that if that was possible, we could add it to w3af. Someone already > >>> >> did something in python [1], so it shouldn't be hard to add it to > >>> >> w3af. > >>> >> > >>> >> [0] http://ha.ckers.org/slowloris/ > >>> >> [1] > >>> >> > http://motomastyle.com/pyloris-a-python-implementation-of-slowloris/ > >>> >> > >>> >> Cheers, > >>> >> -- > >>> >> Andrés Riancho > >>> >> Founder, Bonsai - Information Security > >>> >> http://www.bonsai-sec.com/ > >>> >> http://w3af.sf.net/ > >>> >> > >>> >> > >>> >> > >>> >> > ------------------------------------------------------------------------------ > >>> >> _______________________________________________ > >>> >> W3af-users mailing list > >>> >> [email protected] > >>> >> https://lists.sourceforge.net/lists/listinfo/w3af-users > >>> > > >>> > >>> > >>> > >>> -- > >>> Andrés Riancho > >>> Founder, Bonsai - Information Security > >>> http://www.bonsai-sec.com/ > >>> http://w3af.sf.net/ > >>> > >>> > >>> > ------------------------------------------------------------------------------ > >>> _______________________________________________ > >>> W3af-users mailing list > >>> [email protected] > >>> https://lists.sourceforge.net/lists/listinfo/w3af-users > >>> > >>> > >>> > ------------------------------------------------------------------------------ > >>> _______________________________________________ > >>> W3af-users mailing list > >>> [email protected] > >>> https://lists.sourceforge.net/lists/listinfo/w3af-users > >> > >> > > > > > > > > -- > > Andrés Riancho > > Founder, Bonsai - Information Security > > http://www.bonsai-sec.com/ > > http://w3af.sf.net/ > > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > > W3af-users mailing list > > [email protected] > > https://lists.sourceforge.net/lists/listinfo/w3af-users > > > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > W3af-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/w3af-users > >
------------------------------------------------------------------------------
_______________________________________________ W3af-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/w3af-users
