[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Does your software?
> On Tue, 24 Oct 1995, Jon Mittelhauser wrote:
> > Dr. Frederick B. Cohen wrote:
> > > Yet it services more than one request per minute, 24 hours, 7 days, and
> > > has done so without denial of services, corruption, or leakage since its
> > I really tried to resist but....
> Thanks for saving me from the temptation but I guessed you were so taken
> aback by the performance claims that you missed the most amazing claim:
> an httpd that is proof against Denial Of Service. I'd love to know how
> Dr. Fred does this, since DoS is believed impossibly to defend against
> for unauthenticated TCP...
It's detailed to some extent in the on-line paper about the server.
> The usual DoS attack is to send a stream of connection-initiating SYNs to
> the target port, and never ACK the returned SYN. This fills up the listen
> queue, and jams the port. As long as you can generate SYNs faster than
> the TCP implementation times out the older pending requests, the port is
> jammed (modulo a small window of, er, invunerability between one of your
> SYNs timing out and its replacement turning up).
Right - that's why you have to have timeouts. Unfortunately, I only
prevent denial of services attacks once things hit the server. I think
the TCP wrapper also has a timeout on it's request for authentication.
As I said, the system is not made less secure by the server. It's very
common for other http servers to start a process, lose the link to the
calling host, and leave processes hung out to dry. Even without an
intentional attack, servers end up with hundreds of processes hanging
around after a few weeks of uptime. If you get 1024 hung channels, you
have denial of services on most http implementations.
-> See: Info-Sec Heaven at URL http://all.net
Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236