This is a mirror of official site: http://jasper-net.blogspot.com/

ModSecurity Advanced Topic of the Week: Mitigating Slow HTTP DoS Attacks

| Sunday, November 28, 2010
With the recent OWASP AppSec DC presentation on Slow HTTP POST DoS attacks, the issue of web server platform DoS concerns have reached a new high.  Notice that I said, web server platform and not web application code.  The attack scenario raised by slow HTTP POST attack is related to web server software (Apache, IIS, SunONE, etc...) and can not be directly mitigated by the application code.  In the blog post, we will highlight the two main varieties of slow HTTP attacks - slow request headers and slow request bodies.  We will then provide some new mitigation options for the Apache web server platform with ModSecurity.

Network DoS vs. Layer-7 DoS

Whereas network level DoS attacks aim to flood your pipe with lower-level OSI traffic (SYN packets, etc...), web application layer DoS attacks can often be achieved with much less traffic.  The point here is that the amount of traffic which can often cause an HTTP DoS condition is often much less than what a network level device would identify as anomalous and therefore would not report on it as they would with traditional network level botnet DDoS attacks.

Layer-7 Connection Consumption Attacks

Ivan Ristic brought up the concept of connection consumption attacks in his 2005 book "Apache Security":

5.4.3. Programming Model Attacks

The brute-force attacks we have discussed are easy to perform but may require a lot of bandwidth, and they are easy to spot. With some programming skills, the attack can be improved to leave no trace in the logs and to require little bandwidth.

The trick is to open a connection to the server but not send a single byte. Opening the connection and waiting requires almost no resources by the attacker, but it permanently ties up one Apache process to wait patiently for a request. Apache will wait until the timeout expires, and then close the connection. As of Apache 1.3.31, request-line timeouts are logged to the access log (with status code 408). Request line timeout messages appear in the error log with the level info. Apache 2 does not log such messages to the error log, but efforts are underway to add the same functionality as is present in the 1.x branch.


Read more: SpiderLabs

Posted via email from .NET Info

11 comments:

Anonymous said...

Hello I’m new here. I am sorry if thisis not the right place for this but I was hopingsome one here on jasper-22.blogspot.com would be able to help me. Happy to be here.

Anonymous said...

My inquires are: How much can an agency legally charge to allow a policy holder out of his car insurance?
Exactly how much does your company charge when a person wishes to terminate and how much pressure would you use to continue them?
What are some ideas something like that we can say if our consumer has several months still left on his existing automotive insurance policy? Surely, all of us are not going to hold back until his renewal comes due each and every time.

Anonymous said...

Pennsylvania has minimal requirements on coverage, you need to compare these minimum requirements with the PA auto insurance quote offered by 3 auto insurer at least. Secondly, you need to consider the location. It’s not just about convenience. The insurance agents are very much likely to be thoroughly familiarized with the state law of Pennsylvania if they’re local. And third comes, research reputation. Try to observe how quickly or seamlessly your chosen PA auto insurance company can responds when it’s needed.I have this info and need to know if this coorect or find more some where else. Any help??

Anonymous said...

xrumersiteposter.tripod.com
xrumersiteposter.tripod.com
xrumersiteposter.tripod.com
xrumersiteposter.tripod.com
xrumersiteposter.tripod.com

We can post your custom message on millions of forums, blogs and message boards worldwide.
What This equal for your business & website.
Instant

Increase of web Traffic
Increase of customer Sales
Increase of Search Engine Rankings


xrumersiteposter.tripod.com
xrumersiteposter.tripod.com
xrumersiteposter.tripod.com
xrumersiteposter.tripod.com
xrumersiteposter.tripod.com

Anonymous said...

Never take the first quote - The first quotes you'll get back for your car are likely to be on the high side - insurance companies capitalize on the fact that until you've received a few quotes you won't know what's actually a realistic quote - Never take the first quote you get, no matter how competitive it might seem! Is there any one have good experience with insurance companies. Any company offering cheap auto insurance for new drivers. Any suggestion?

Anonymous said...

What happens in a case where a insured driver has health insurance which covers bodily injury from an accident? Is the Uninsured Motorist coverage for medical bills primary, or should the injured party's personal health insurance pay as primary? My car is registered in Atlanta but I just moved to Florida. Can I still get my car insured in Florida and keep my car registered in Atlanta?Any help??

Anonymous said...

xrumersiteposter.com
xrumersiteposter.com
xrumersiteposter.com
xrumersiteposter.com
xrumersiteposter.com

We can post your custom message on millions of forums, blogs and message boards worldwide.
What This equal for your business & website.
Instant

Increase of web Traffic
Increase of customer Sales
Increase of Search Engine Rankings

xrumersiteposter.com
xrumersiteposter.com
xrumersiteposter.com
xrumersiteposter.com
xrumersiteposter.com

Anonymous said...

Hi,

I am looking for a VPS solutions. Who is the best provider in your eyes of VPS hosting?

-Rick

Anonymous said...

Hi,

I am looking for a VPS solutions. Who is the best provider in your eyes of VPS hosting?

-Rick

Anonymous said...

When adjusters have that package thing by a lawyer with documents, photographs and various other reports and etc. Just how long does it normally state in the letter to respond? Do adjusters really respond by or on the date? How can they respond by phone, e-mail, letter or fax?

Anonymous said...

Hi
I used this cool prog DRM-removal and used it for removing drm from itunes protected files a yearu ago, it did the job well, btw. Then I bought mp3 player and it could't play my wma files so I decided to [url=http://drm-removal.com]convert wma to mp3[/url] with drm-removal. It works perfect! Just in a few clicks, you only need to click "Add" button and choose the folder of wma files. They will convert all the tracks in parallel at a really high speed. If you have the same problem and need to convert wma to mp3, you should try drm-removal!
I am big addict :) of audiobooks and actually wonder, if it legal. I bought a book (now its mine!) from napster, but may be its drm and I can't copy it to my MP3 player!! Thats dick!! I can remove drm - but what about legacy?

thanks in advance!