On Tue, Dec 17, 2002 at 01:48:22PM -0800, Paul L. Allen wrote:
> Joe Rhett wrote:
> >
> > [... about Slapper worm affecting immune servers ...]
> >
> > Thus my confusion on this topic -- people are feeling the brunt, and there
> > are numerous posts about changes to minimize the effect. But all of these
> > fixes are either (1) breaking something else or (2) security through
> > obscurity. We should definitely be investigating a real fix, and I'm not
> > seeing anything which indicates this.
>
> The fix for the classic denial-of-service attack will likely not come
> from the OpenSSL community or the Apache community. If somebody is
> flooding you with traffic and taking your servers down, the best you
> can do is to block the packets before they hit your server. The fact
> that the Internet carries those packets to your server is a feature,
> not a bug to be fixed.
Paul, you're not reading what I wrote. This isn't a classic denial of
service attack. This is one TCP session per host. No incomplete-syn, no
barrage of requests. One request per host.
Going back and re-reading my message, I'm positive that if you had actually
read the message you wouldn't have come to this conclusion. Please don't
waste everyone's time with irrelevant, ignorant replies.
> If the hole the worm is looking for is patched and you can prevent the
> worm from even looking at you by changing the way Apache identifies
> itself, you're fixed. Any admin who is aware enough to change their
> server's identity string will also have patched the hole. The worm's
> authors are unlikely to try to find some other way to recognize
> Apache servers because there's no payoff for the effort.
You're missing the point. It's a simple attack that makes the servers
completely unavailable for param{Timeout} seconds. No other SSL library
suffers from this. This is a bug.
And your analysis of payoff is quite wrong. I've been doing security work
for 13 years, and what anyone poses as 'not worth it' is always the
'next big attack'. Your suggestion of security-through-obscurity as a fix
demonstrates your lack of experience in this field.
Ignoring the problem certainly isn't a valid fix, and it's a cheap and easy
denial of service. Shut down any OpenSSL-based website with only 2 packets
every 5 minutes. Why someone may want to do so isn't relevant to the
fact that it is an easy attack.
--
Joe Rhett Chief Geek
[EMAIL PROTECTED] ISite Services, Inc.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
