slowloris, accf_http and POST requests
Ruben de Groot
mail25 at bzerk.org
Mon Jun 22 11:26:11 UTC 2009
Hi,
Can enybody explain why the http accept filter only works on GET/HEAD requests?
The reason I ask is I was checking up on the slowloris DOS tool
(http://ha.ckers.org/slowloris/slowloris.pl) and, like others before me, found
that the -httpready switch (which uses POST instead of GET) renders the accf_http
module useless as a protection against this kind of attack.
Recompiling the module for caching POST requests as well (see small patch below)
seems to work. At least the slowloris tool can no longer be used to DOS apache.
Also, I've checked that CGI script using POST still work.
But I hesitate to go and use this in production. There must have been a reason
why POST was not implemented in the http accept filter and doing this might
break things?
Ruben
# cd /usr/src/sys/netinet
# diff -u accf_http.c.orig accf_http.c
--- accf_http.c.orig 2007-11-11 13:32:12.000000000 +0000
+++ accf_http.c 2009-06-22 10:42:35.000000000 +0000
@@ -38,7 +38,7 @@
#include <sys/sysctl.h>
#include <sys/socketvar.h>
-/* check for GET/HEAD */
+/* check for GET/HEAD/POST */
static void sohashttpget(struct socket *so, void *arg, int waitflag);
/* check for HTTP/1.0 or HTTP/1.1 */
static void soparsehttpvers(struct socket *so, void *arg, int waitflag);
@@ -178,6 +178,9 @@
case 'H':
STRSETUP(cmp, cmplen, "EAD ");
break;
+ case 'P':
+ STRSETUP(cmp, cmplen, "OST ");
+ break;
default:
goto fallout;
}
# cd /usr/src/sys/modules/accf_http/
# make && make install
# kldload accf_http
More information about the freebsd-questions
mailing list