Educause Security Discussion mailing list archives
Re: Slow-read DOS
From: Nathaniel Hall <educause-lists () NATHANIELHALL COM>
Date: Tue, 17 Jan 2012 19:04:04 -0600
You could use iptables to search for a window size that is smaller than what is being used (or the specific size, if it is consistent) and REJECT the connection. You specifically want to REJECT it (icmp-host-unreachable, IMHO) in order to flush the connection from the perimeter firewall. This could screw up legitimate connections, but that might be worth it until you can get a handle on things. Take a look at the man pages for --hex-string. Use it in conjunction with --from and --to. Figure out what the common or max window size is and convert that to hex. Then search for it in the packet. -- Nathaniel Hall I am many things, but I am not a laywer, accountant, or agent of the federal, state, or local government. On 01/17/2012 02:06 PM, HOGGATT, ANDY F. wrote:
Greetings all, We have been experiencing DOS issues today relating to the "slow http" method (see article below). Has anyone else been experiencing these attacks or have any knowledge, or experience on defending against these? They seem to be very sporadic. The access logs have the following entry in the HTTP header : "FAKEVERB / HTTP/1.1" 301 227 http://code.google.com/p/slowhttptest/ Feel free to email me directly, if you'd prefer. http://www.darkreading.com/advanced-threats/167901091/security/attacks-breaches/232301367/new-denial-of-service-attack-cripples-web-servers-by-reading-slowly.html Thank you, Andy Hoggatt hoggatta () otc edu
Current thread:
- Slow-read DOS HOGGATT, ANDY F. (Jan 17)
- Re: Slow-read DOS Nathaniel Hall (Jan 17)
- Re: Slow-read DOS Seth Hall (Jan 21)