WebApp Sec mailing list archives
RE: Dropping connection instead of returning 400
From: "Matt Fisher" <mfisher () spidynamics com>
Date: Tue, 19 Apr 2005 22:16:05 -0400
Sounds like a good idea to me, but of course what are the dependencies on returning a proper 400 ? Could break things down the road. Instead of sending a RST, may want to consider just dropping the connection altogether as well. I'm a big fan of just hanging the connect, instead of resetting . Just adds another layer of pain (althought admittedly slight) to whomever's perputrating the fraud.
-----Original Message----- From: Kanatoko [mailto:anvil () jumperz net] Sent: Monday, April 18, 2005 5:29 AM To: webappsec () securityfocus com Subject: Re: Dropping connection instead of returning 400 On Tue, 1 Mar 2005 20:59:37 -0800 (PST) christopher () baus net wrote:One thing that keeps coming back to me is 400 Bad Requesthandling.It is now my opinion that security proxies should just dropconnectionwhen faced with traffic they refuse to handle.Google web server (GWS) works just like that. If you send an invalid HTTP request like this to Google, -- GET / AAAA/1.0 User-Agent: hoge Host: www.google.com -- GWS drops the TCP connection with RST packet. On the other hand, Apache and IIS return a 400 response. BTW, I got this information from the book "Intrusion Prevention and Active Response" page 137. http://www.amazon.com/exec/obidos/tg/detail/-/193226647X/ -- Kanatoko<anvil () jumperz net> Open Source WebAppFirewall http://guardian.jumperz.net/
Current thread:
- Re: Dropping connection instead of returning 400 Kanatoko (Apr 18)
- <Possible follow-ups>
- RE: Dropping connection instead of returning 400 Matt Fisher (Apr 20)
- RE: Dropping connection instead of returning 400 christopher (Apr 21)