[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Does your software?



> 
> On Tue, 24 Oct 1995, Jon Mittelhauser wrote:
> 
> > Dr. Frederick B. Cohen wrote:
> > 
> > > Yet it services more than one request per minute, 24 hours, 7 days, and
> > > has done so without denial of services, corruption, or leakage since its
> 
> > I really tried to resist but....
> > 
> 
> Thanks for saving me from the temptation but I guessed you were so taken 
> aback by the performance claims that you missed the most amazing claim: 
> an httpd that is proof against Denial Of Service. I'd love to know how 
> Dr. Fred does this, since DoS is believed impossibly to defend against 
> for unauthenticated TCP...

It's detailed to some extent in the on-line paper about the server.

> The usual DoS attack is to send a stream of connection-initiating SYNs to 
> the target port, and never ACK the returned SYN. This fills up the listen 
> queue, and jams the port. As long as you can generate SYNs faster than 
> the TCP implementation times out the older pending requests, the port is 
> jammed (modulo a small window of, er, invunerability between one of your 
> SYNs timing out and its replacement turning up).

Right - that's why you have to have timeouts.  Unfortunately, I only
prevent denial of services attacks once things hit the server.  I think
the TCP wrapper also has a timeout on it's request for authentication. 
As I said, the system is not made less secure by the server.  It's very
common for other http servers to start a process, lose the link to the
calling host, and leave processes hung out to dry.  Even without an
intentional attack, servers end up with hundreds of processes hanging
around after a few weeks of uptime.  If you get 1024 hung channels, you
have denial of services on most http implementations.

-- 
-> See: Info-Sec Heaven at URL http://all.net
Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236