Thread: [mod-security-users] new Apache exploit?
Brought to you by:
victorhora,
zimmerletw
From: Jason H. <Jas...@tr...> - 2009-06-22 02:56:06
|
I just saw this on the SANS blog: http://isc.sans.org/diary.php?storyid=6613&rss It's a very easy exploit that will DoS Apache very quickly. However, it's not exactly "sneaky" - you'll know who did it. However, is there any way for modsecurity to detect this - to tide us over until Apache fixes it? Thanks -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 |
From: <chr...@po...> - 2009-06-22 08:03:25
|
Hello Jason, As far as I can tell, ModSecurity can't help you against Slowloris here as it is running too late in the Apache lifecycle. A silver bullet against this attack is unlikely, but this is not the end of the world. There are mitigation possibilities. I reckon the best intermediate defense against the single attacker variant is to use netstat and blaklist everbody blocking too many sockets. Still, ModSecurity would play a role in good defense. Reconaissance is key here and Apache is nearly blind when it comes to this attack. Given the Mod-Security timestamps, you get a better impression on what is going on. Also, I believe that the real threat is not delaying of the headers, but delaying of the post payload. The slowloris script only works on the headers which means there is a lot more room for nastiness. Technically post request can be delayed for an almost unlimited amount of time. As everybody is allowed to do POST requests by default, you need something to protect you here. I believe ModSecurity is able to do this job in phase 1. -> Prevent non-authenticated users from doing Post-Request to anything but the login-form. And whitelist the login-form to a very small content-length header in phase 1. I am not sure anybody is following me here, though. ;) More thoughts are definitely welcome. Regs, Christian -- Christian Folini, IT 222 Webserver Security Engineer -----Ursprüngliche Nachricht----- Von: Jason Haar [mailto:Jas...@tr...] Gesendet: Montag, 22. Juni 2009 04:56 An: mod...@li... Betreff: [mod-security-users] new Apache exploit? I just saw this on the SANS blog: http://isc.sans.org/diary.php?storyid=6613&rss It's a very easy exploit that will DoS Apache very quickly. However, it's not exactly "sneaky" - you'll know who did it. However, is there any way for modsecurity to detect this - to tide us over until Apache fixes it? Thanks -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------------------------------ Are you an open source citizen? Join us for the Open Source Bridge conference! Portland, OR, June 17-19. Two days of sessions, one day of unconference: $250. Need another reason to go? 24-hour hacker lounge. Register today! http://ad.doubleclick.net/clk;215844324;13503038;v?http://opensourcebridge.org _______________________________________________ mod-security-users mailing list mod...@li... https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Appliances, Rule Sets and Support: http://www.modsecurity.org/breach/index.html |