The Code Red II worm seems to have a negative impact on FreeBSD machines
with HTTP Accept Filtering enabled either statically in the kernel or via
modules.
The man page for accf_http states that:
It prevents the application from receiving the connected descriptor via
accept() until either a full HTTP/1.0 or HTTP/1.1 HEAD or GET request has
been buffered by the kernel.
What seems to be happening is Code Red II sends its 3.8K malformed
request, but the accept filter doesn't recognize this request as being
completed. So the connection sits in the established state with 3818
bytes in the Receive Queue as shown in the following netstat:
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 3818 0 10.1.1.1.80 64.1.1.1.2932 ESTABLISHED
If you get enough of these (about 20-30 on a machine with NMBCLUSTERS set
to 1024), your mbuf cluster pool becomes exhausted and network
transactions begin to fail.
This inadvertent side affect of the Code Red worm suggests that it would
also be relatively easy to launch a denial of service attack against a
machine with HTTP accept filtering.
This was observed on FreeBSD 4.3-RELEASE machine running both Apache
1.3.19 and 1.3.20.
Regards,
- Christopher Ellwood
Network Security Consultant
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message
