Path: csiph.com!usenet.pasdenom.info!weretis.net!feeder1.news.weretis.net!feeder.erje.net!eu.feeder.erje.net!newsfeed.fsmpi.rwth-aachen.de!news-1.dfn.de!news.dfn.de!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail From: Sandman Newsgroups: comp.os.linux.networking,comp.os.linux.security,comp.infosystems.www.servers.unix Subject: Re: wpad.dat attack on Linux Apache server Date: Fri, 24 May 2013 11:44:27 +0200 Lines: 62 Message-ID: References: <87vc68ra57.fsf@araminta.anjou.terraraq.org.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Trace: individual.net PpW30a0U1ju9YoJeTTaRGQGI8RorhOjtzx/Lb+yzvF7CgzTjE= X-Orig-Path: mr Cancel-Lock: sha1:i0jUTMrUQdSdxG01ApoEpxPJZnk= User-Agent: MT-NewsWatcher/3.5.2 (Intel Mac OS X) X-Face: $@,Vfa$,)%=Qa7L]y)&oZj_\EiHc}}Af0Bei"4a_%)"c6TQ+P/:53>;PNGuWUmkqyeN-qM65foJ[;T_(k;>]&G\T4Lhm:2 ujye2_,iUJFE;NZn>y;.|-hl7g~bIOF1qG\o, Richard Kettlewell wrote: > Sandman writes: > > Ok, so I'll block it. Blocking it in apache seemd stupid, it would still > > process the requests, so to iptables: > > > > iptables -I INPUT -p tcp --dport 80 -m string --to 70 --algo bm \ > > --string "GET /wpad.dat" -j REJECT --reject-with tcp-reset > > > > Yes, I know this analyzes *every* request, and wastes CPU cycles, I may > > get around to chain this into a seperate iptables chain and only act on > > correct parts. In about an hour, this has blocked 45k requests, or about > > 750 per minute > > While this will send a TCP reset to the misbehaving client, AIUI it will > not send anything to your Apache, which by this point will have an open > TCP connection and will be awaiting the start of the HTTP request. It > will presumably continue waiting up to some timeout. You should be able > to use netstat to confirm or refute this. Thank you for your reply. I thought "reject" just rejected the request and nothing came to Apache? Using /server-status I see a huge difference in active connections, but I do see a tremendous amount of "Total accesses" which doesn't seem to correlate to the actual number of "valid" HTTP requests. Current Time: Friday, 24-May-2013 11:39:38 CEST Restart Time: Friday, 24-May-2013 11:22:51 CEST Parent Server Generation: 0 Server uptime: 16 minutes 47 seconds Total accesses: 14027 - Total Traffic: 144.8 MB CPU Usage: u124.78 s5.91 cu136.95 cs0 - 26.6% CPU load 13.9 requests/sec - 147.2 kB/second - 10.6 kB/request 29 requests currently being processed, 24 idle workers ...._.KK.KK..........._.._...K._.R..._...K_.._...K......._R..K_. K_KKKK.._K_KW_WK_K__KK_....K_K_K___K_KK._....................... ................................................................ ................................................................ As you can see - almost a thousand accesses per minute. Yet, my child processes are free to serve new processes. "netstat -lap" shows about 400 lines of this: tcp 0 0 www.mydomain.com:www c-83-233-215-17.c:49686 SYN_RECV - tcp 0 0 www.mydomain.com:www h-5-200.a327.priv:50165 SYN_RECV - tcp 0 0 www.mydomain.com:www c-62-220-189-209.:50627 SYN_RECV - tcp 0 0 www.mydomain.com:www 238.77.85.212.bah:58190 SYN_RECV - tcp 0 0 www.mydomain.com:www c-89-160-22-176.c:57315 SYN_RECV - So yes, something is still knocking on that door - could this be bogging down my server? I have also a number of lines with TIME_WAIT status, suggesting that some queue is full here... Right? -- Sandman[.net]