- From: Poul-Henning Kamp <phk@phk.freebsd.dk>
- Date: Mon, 20 Jun 2011 16:21:55 +0000
- To: Jan Starke <jan.starke@outofbed.org>
- cc: ietf-http-wg@w3.org
In message <BANLkTik1rT_Z69xE7YenpB9GPbbxFmKLfg@mail.gmail.com>, Jan Starke wri tes: >A possible mitigation would be to require SSL or TLS, [...] Economically impossible at the bandwidths many sites run. >Another (not very mighty) mitigation could be to provide an >intermediate layer between TCP and HTTP to handle meta information. This is what FreeBSD's "accept-filters" do. None of the presently implemented filters catch this particular case though. Not really sure it is a feasible way to deal with POST bodies though. >I have no idea how to really prevent this kind of attack, maybe >someone in this mailing-list knows how... There is no way to prevent it, it is a direct consequence of the protocols, at best you can mitigate it. The best mitigation is to have high-level detection software that says "Funny, we've seen a lot of those, lets just summarily close all unauthenticated POST attempts until they get bored" and similar. The second best mitigation is to write your code to spend as few resources as possible, until you can commit to the request. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence.
Received on Monday, 20 June 2011 16:22:28 UTC