LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   Lighttpd: Slow HTTP POST Attack (https://www.linuxquestions.org/questions/linux-server-73/lighttpd-slow-http-post-attack-859905/)

hydraMax 01-31-2011 10:44 PM
Lighttpd: Slow HTTP POST Attack
 
http://www.darkreading.com/vulnerabi...532/index.html

I ran across the above article, which described a DoS attack in which requests are sent very slowly to the Web server. I'm running lighttpd 1.4.28 on a Gentoo Linux server, and I'm wondering if there is anything I could do in preparation to defend against such an attack.

A bug report <http://redmine.lighttpd.net/issues/2147> seems to indicate that there was a patch in place already against this sort of attack, but I wanted to be sure that was the same thing and if there was anything else I needed to do. Thanks.

unSpawn 02-01-2011 06:26 PM
ModSecurity >=2.5.13 seems to be suggested:
Code:
Add directive:
"RequestReadTimeout body=30"

Add a rule:
SecRule RESPONSE_STATUS "@streq 408" "phase:5,t:none,nolog,pass, setvar:ip.slow_dos_counter=+1,expirevar:ip. slow_dos_counter=60"
SecRule IP:SLOW_DOS_COUNTER "@gt 5" \ "phase:1,t:none,log,drop, msg:'Client Connection Dropped due to high # of slow DoS alerts'"
for more see the Chaptersinwebsecurity presentation at http://www.hybridsec.com/papers/OWAS...l-HTTP-DoS.ppt (slides 8 - 15). Note just adding these to ModSecurity is not enough: downloading the attack POC and testing it should definitely be the next step to find out if it works as advertised.

hydraMax 02-02-2011 11:21 PM
Quote:
Originally Posted by unSpawn (Post 4245156)
ModSecurity >=2.5.13 seems to be suggested:
Code:
Add directive:
"RequestReadTimeout body=30"

Add a rule:
SecRule RESPONSE_STATUS "@streq 408" "phase:5,t:none,nolog,pass, setvar:ip.slow_dos_counter=+1,expirevar:ip. slow_dos_counter=60"
SecRule IP:SLOW_DOS_COUNTER "@gt 5" \ "phase:1,t:none,log,drop, msg:'Client Connection Dropped due to high # of slow DoS alerts'"
for more see the Chaptersinwebsecurity presentation at http://www.hybridsec.com/papers/OWAS...l-HTTP-DoS.ppt (slides 8 - 15). Note just adding these to ModSecurity is not enough: downloading the attack POC and testing it should definitely be the next step to find out if it works as advertised.
Apache only?

unSpawn 02-04-2011 10:48 AM
Yeah, you're right. I did read some texts about converting some string matches in an effort to mimic part of mod_security but Lighttpd uses Lua and I don't...


All times are GMT -5. The time now is 10:34 AM.