> -----Original Message-----
> From: David Johnson
> Our Zope 3.2.1 server is crashing and we cannot determine why.
> The last entry in the access.log is the following:
> - - [10/Mar/2007:22:11:45 -0500] "CONNECT  
> sextw.com.tw:25 HTTP/1.0" 404 0 "-" "-"

Hi David,

This is an attack on your server to attempt to proxy a 
connection (CONNECT) to a third party SMTP (port 25) server 
(sextw.com.tw).  The CONNECT command (i.e. like POST, GET
and HEAD commands) is part of the HTTP RFC.  It is normally
not needed on the vast majority of http servers and is 
usually disabled.  I do not know how zope3 handles this
case other than by your observed crash.  Technically,
what you are experiencing is a Denial of Service (DoS).
This is only just slightly better than having the actual
CONNECT command succeed.  If it succeeds then you have 
just become a spam engine.

If you could get a packet capture of the incoming traffic
during one of these attacks you might be able to determine
how zope is answering.

I would recommend that you place zope behind an Apache
proxy server for its protection.  Personally, I would rather 
trust in Apache's robustness for dealing with internet threats
than (from my point of view) the relatively unhardened 
internal implementation (twisted or otherwise) that zope 3 
offers.  By unhardened, I mean that zope 3 has not undergone
(to my knowledge) the many years of discovering and fixing
of security issues that apache has.  I do not know the extent
to which zope 3 has undergone any security vulnerability analysis
and testing.

Both of the zope books explain how to place apache in front
of zope and it is quite straightforward.


System Scientist / Scientifique, spécialiste des systèmes
Canada Centre for Remote Sensing / Centre canadien de télédéction
Natural Resources Canada, 588 Booth Street, Ottawa, Ontario, Canada, K1A 0Y7
Ressources naturelles Canada, 588 rue Booth, Ottawa, Ontario, Canada, K1A 0Y7
Government of Canada / Gouvernement du Canada
Zope3-users mailing list

Reply via email to