Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.os.linux.security > #285

Re: wpad.dat attack on Linux Apache server

Cross-posted to 3 groups.

Show all headers | View raw

In article <87vc68ra57.fsf@araminta.anjou.terraraq.org.uk>,
 Richard Kettlewell <rjk@greenend.org.uk> wrote:

> Sandman <mr@sandman.net> writes:
> > Ok, so I'll block it. Blocking it in apache seemd stupid, it would still 
> > process the requests, so to iptables:
> >
> >     iptables -I INPUT -p tcp --dport 80 -m string --to 70 --algo bm \
> >       --string "GET /wpad.dat" -j REJECT --reject-with tcp-reset
> >
> > Yes, I know this analyzes *every* request, and wastes CPU cycles, I may 
> > get around to chain this into a seperate iptables chain and only act on 
> > correct parts. In about an hour, this has blocked 45k requests, or about 
> > 750 per minute
> 
> While this will send a TCP reset to the misbehaving client, AIUI it will
> not send anything to your Apache, which by this point will have an open
> TCP connection and will be awaiting the start of the HTTP request.  It
> will presumably continue waiting up to some timeout.  You should be able
> to use netstat to confirm or refute this.

Thank you for your reply. I thought "reject" just rejected the request 
and nothing came to Apache?

Using /server-status I see a huge difference in active connections, but 
I do see a tremendous amount of "Total accesses" which doesn't seem to 
correlate to the actual number of "valid" HTTP requests.

    Current Time: Friday, 24-May-2013 11:39:38 CEST
    Restart Time: Friday, 24-May-2013 11:22:51 CEST
    Parent Server Generation: 0
    Server uptime: 16 minutes 47 seconds
    Total accesses: 14027 - Total Traffic: 144.8 MB
    CPU Usage: u124.78 s5.91 cu136.95 cs0 - 26.6% CPU load
    13.9 requests/sec - 147.2 kB/second - 10.6 kB/request
    29 requests currently being processed, 24 idle workers

    ...._.KK.KK..........._.._...K._.R..._...K_.._...K......._R..K_.
    K_KKKK.._K_KW_WK_K__KK_....K_K_K___K_KK._.......................
    ................................................................
    ................................................................


As you can see - almost a thousand accesses per minute. Yet, my child 
processes are free to serve new processes.

"netstat -lap" shows about 400 lines of this:

tcp  0 0 www.mydomain.com:www  c-83-233-215-17.c:49686 SYN_RECV    -               
tcp  0 0 www.mydomain.com:www  h-5-200.a327.priv:50165 SYN_RECV    -               
tcp  0 0 www.mydomain.com:www  c-62-220-189-209.:50627 SYN_RECV    -             
tcp  0 0 www.mydomain.com:www  238.77.85.212.bah:58190 SYN_RECV    -               
tcp  0 0 www.mydomain.com:www  c-89-160-22-176.c:57315 SYN_RECV    -   

So yes, something is still knocking on that door - could this be bogging 
down my server?

I have also a number of lines with TIME_WAIT status, suggesting that 
some queue is full here... Right?       

-- 
Sandman[.net]

Back to comp.os.linux.security | Previous | Next — Previous in thread | Next in thread | Find similar

Thread

wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 11:22 +0200
  Re: wpad.dat attack on Linux Apache server Richard Kettlewell <rjk@greenend.org.uk> - 2013-05-24 10:37 +0100
    Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 11:44 +0200
      Re: wpad.dat attack on Linux Apache server Richard Kettlewell <rjk@greenend.org.uk> - 2013-05-24 11:04 +0100
        Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 12:13 +0200
          Re: wpad.dat attack on Linux Apache server Richard Kettlewell <rjk@greenend.org.uk> - 2013-05-24 11:20 +0100
            Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 12:23 +0200
              Re: wpad.dat attack on Linux Apache server J G Miller <miller@yoyo.ORG> - 2013-05-24 11:07 +0000
                Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 14:43 +0200
                Re: wpad.dat attack on Linux Apache server Casper H.S. Dik <Casper.Dik@OrSPaMcle.COM> - 2013-05-24 13:05 +0000
                Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 15:14 +0200
                Re: wpad.dat attack on Linux Apache server Joe Beanfish <joebeanfish@nospam.duh> - 2013-05-24 13:39 +0000
                Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 16:23 +0200
                Re: wpad.dat attack on Linux Apache server Richard Kettlewell <rjk@greenend.org.uk> - 2013-05-24 15:13 +0100
                Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 16:26 +0200
                Re: wpad.dat attack on Linux Apache server Richard Kettlewell <rjk@greenend.org.uk> - 2013-05-24 17:38 +0100
                Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 19:02 +0200
                Re: wpad.dat attack on Linux Apache server Richard Kettlewell <rjk@greenend.org.uk> - 2013-05-24 18:45 +0100
                Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 21:12 +0200
                Re: wpad.dat attack on Linux Apache server Casper H.S. Dik <Casper.Dik@OrSPaMcle.COM> - 2013-05-24 16:47 +0000
                Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 18:53 +0200
                Re: wpad.dat attack on Linux Apache server J G Miller <miller@yoyo.ORG> - 2013-05-24 17:15 +0000
                Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 21:20 +0200
                Re: wpad.dat attack on Linux Apache server Richard Kettlewell <rjk@greenend.org.uk> - 2013-05-25 08:45 +0100
                Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-25 09:54 +0200
                Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-25 10:04 +0200
                Re: wpad.dat attack on Linux Apache server Casper H.S. Dik <Casper.Dik@OrSPaMcle.COM> - 2013-05-26 10:12 +0000
                Re: wpad.dat attack on Linux Apache server "David W. Hodgins" <dwhodgins@nomail.afraid.org> - 2013-05-24 13:50 -0400
                Re: wpad.dat attack on Linux Apache server Richard Kettlewell <rjk@greenend.org.uk> - 2013-05-24 19:10 +0100
                Re: wpad.dat attack on Linux Apache server Richard Kettlewell <rjk@greenend.org.uk> - 2013-05-24 19:15 +0100
                Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 21:33 +0200
                Re: wpad.dat attack on Linux Apache server Richard Kettlewell <rjk@greenend.org.uk> - 2013-05-25 08:38 +0100
                Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 21:25 +0200
                Re: wpad.dat attack on Linux Apache server Whiskers <catwheezel@operamail.com> - 2013-05-25 15:52 +0100
                Re: wpad.dat attack on Linux Apache server Roger <invalid@invalid.invalid> - 2013-05-25 17:19 +0100
                Re: wpad.dat attack on Linux Apache server J G Miller <miller@yoyo.ORG> - 2013-05-25 17:22 +0000
                Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-25 19:41 +0200
              Re: wpad.dat attack on Linux Apache server Chris Davies <chris-usenet@roaima.co.uk> - 2013-05-24 12:31 +0100
                Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 14:29 +0200
                Re: wpad.dat attack on Linux Apache server Chris Davies <chris-usenet@roaima.co.uk> - 2013-05-24 23:45 +0100
  Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 14:49 +0200

csiph-web