Secure Coding mailing list archives

Re: Java DOS

From: "Kevin W. Wall" <kevin.w.wall () gmail com>
Date: Tue, 15 Feb 2011 21:43:32 -0500

On 02/15/2011 11:38 AM, Jim Manico wrote:
[snip[

Ryan Barnett just spit out a new (impressive) mod security rule so you
can tactically patch without touching code (see below).

[snip]

First step is to inspect the ARGS and REQUEST_HEADERS data using a regex
to match on potential floating point payloads -

SecRule ARGS|REQUEST_HEADERS "[0-9\.]{12,}e-[0-9]{3,}"
"phase:2,t:none,t:lowercase,nolog,pass,exec:/usr/local/apache/conf/modsec_c
urrent/base_rules/FloatingPointDoSAttack.lua"

If a payload is found that matches the regex check, ModSecurity will
execute an external Lua script.  The lua script then extracts out
payloads, strips out the "." and then searches for the MagicDoSNumber.  If
this is found, then a TX variable is exported -


Great idea, but the regex still needs work. For instance, one needn't
even use scientific notation at all, unless there is some other
mod_security rule restricting the overall length of an HTTP request
header. E.g.,

 Accept-Language: en-us; q=0.000000000...00022250738585072012

where I've omitted the appropriate # of zeros for the sake of readability.

Similarly, one could also write the quality metric using 'e-90' or
'e-3' or whatever; even 'e+2' if I wanted. But the approach is correct;
only the regex needs work unless there's some other mod_security rule
that would catch these things.

-kevin
-- 
Kevin W. Wall
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We cause accidents."        -- Nathaniel Borenstein, co-creator of MIME
_______________________________________________
Secure Coding mailing list (SC-L) SC-L () securecoding org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________

Current thread:

Re: Java DOS, (continued)
- - - Re: Java DOS Wall, Kevin (Feb 14)
    - Re: Java DOS Chris Schmidt (Feb 15)
    - Re: Java DOS Wall, Kevin (Feb 15)
    - Re: Java DOS Wall, Kevin (Feb 15)
    - Re: Java DOS Shanahan Pete (Feb 15)
    - Re: Java DOS Chris Schmidt (Feb 15)
    - Re: Java DOS Shanahan Pete (Feb 15)
    - Re: Java DOS Chris Schmidt (Feb 15)
    - Re: Java DOS Kevin W. Wall (Feb 16)
    - Re: Java DOS Jim Manico (Feb 15)
    - Re: Java DOS Kevin W. Wall (Feb 16)