Hi there, * Eric Rescorla ([EMAIL PROTECTED]) wrote: > I've long suspected that you could connect to Apache and consume all > the processes until a timeout. It's very hard to defend against this > attack since it's hard to distinguish attackers from slow clients. I
This is what I was wondering about too because as far as I am aware, there are no (known) outstanding issues with OpenSSL in this respect. Apache (1.3)'s one-request-per-process model has always been a bit vulnerable to this issue of idle DoS attacks, especially given how responsive and parallel http is generally required to be (eg. this same possibility with fork()'d mail servers is generally not a problem at all). But unless mod_ssl itself is very lax, I can't even see how this problem is specific to https, let alone openssl. Ie. if the problem is read/write timeouts in apache's network code then surely you can DoS it by opening a connection to port 80 and trickling through an http request one-byte-at-a-time (so each delay is less than apache's read timeout). In theory, this should would allow an ancient 386 sitting on a slow modem to take down an apache server. (And means setting the timeout to 300 seconds in an apache configuration is an open invitation for pain). Or is there more to this problem than that? I don't see any details to explain where this problem lies, but if it is the network timeouts as Eric suggested, then this an Apache/mod_ssl issue at best. If the TCP connects to the server were OK but it looked like Apache's accept() was jammed, this would certainly suggest that the child-processes were all tied up in read() sleeps. Typically, apache child processes all sleep inside accept() when they're idle and the kernel will get to choose which ones get woken up by any incoming connections. > just didn't understand why Slapper was doing it since it only tries to > probe your machine once AFAIK. But if you have a lot of IPs.... But along the lines of what the original poster mentioned, this courtesy from Slapper can hardly be relied upon - someone could easily modify it to DoS any apache servers that it can't otherwise exploit. Ie. make the virus tie up all the child-processes (doing the DoS connections from any previously exploited/controlled servers). The question however is; what *exactly* is the problem? Cheers, Geoff -- Geoff Thorpe [EMAIL PROTECTED] http://www.openssl.org/ ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
