Re: Slow-read DOS

[Nathaniel Hall <educause-lists () NATHANIELHALL COM>]

You could use iptables to search for a window size that is smaller than
what is being used (or the specific size, if it is consistent) and
REJECT the connection.  You specifically want to REJECT it
(icmp-host-unreachable, IMHO) in order to flush the connection from the
perimeter firewall.  This could screw up legitimate connections, but
that might be worth it until you can get a handle on things.

Take a look at the man pages for --hex-string.  Use it in conjunction
with --from and --to.  Figure out what the common or max window size is
and convert that to hex.  Then search for it in the packet.

-- 
Nathaniel Hall

I am many things, but I am not a laywer, accountant, or agent of the federal, state, or local government.


On 01/17/2012 02:06 PM, HOGGATT, ANDY F. wrote:
> Greetings all,
>
>  
>
> We have been experiencing DOS issues today relating to the "slow http"
> method (see article below).  Has anyone else been experiencing these
> attacks or have any knowledge, or experience on defending against
> these?  They seem to be very sporadic.  The access logs have the
> following entry in the HTTP header :
>
>  
>
> "FAKEVERB / HTTP/1.1" 301 227 http://code.google.com/p/slowhttptest/
>
>  
>
> Feel free to email me directly, if you'd prefer.
>
>  
>
> http://www.darkreading.com/advanced-threats/167901091/security/attacks-breaches/232301367/new-denial-of-service-attack-cripples-web-servers-by-reading-slowly.html
>
>  
>
> Thank you,
>
>  
>
> Andy Hoggatt
>
> hoggatta () otc edu