Re: Denial of Service using invalid Content-Length header

In message <BANLkTik1rT_Z69xE7YenpB9GPbbxFmKLfg@mail.gmail.com>, Jan Starke wri
tes:

>A possible mitigation would be to require SSL or TLS, [...]

Economically impossible at the bandwidths many sites run.

>Another (not very mighty) mitigation could be to provide an
>intermediate layer between TCP and HTTP to handle meta information.

This is what FreeBSD's "accept-filters" do.  None of the presently
implemented filters catch this particular case though.  Not really
sure it is a feasible way to deal with POST bodies though.

>I have no idea how to really prevent this kind of attack, maybe
>someone in this mailing-list knows how...

There is no way to prevent it, it is a direct consequence of the
protocols, at best you can mitigate it.

The best mitigation is to have high-level detection software that
says "Funny, we've seen a lot of those, lets just summarily
close all unauthenticated POST attempts until they get bored" and
similar.

The second best mitigation is to write your code to spend as few
resources as possible, until you can commit to the request.

-- 
Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.

Received on Monday, 20 June 2011 16:22:28 UTC