Path: csiph.com!v102.xanadu-bbs.net!xanadu-bbs.net!feeder.erje.net!eu.feeder.erje.net!newsfeed.fsmpi.rwth-aachen.de!news-1.dfn.de!news.dfn.de!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail
From: Sandman <mr@sandman.net>
Newsgroups: comp.os.linux.networking,comp.os.linux.security,comp.infosystems.www.servers.unix
Subject: Re: wpad.dat attack on Linux Apache server
Date: Fri, 24 May 2013 12:23:54 +0200
Lines: 38
Message-ID: <mr-17CDE1.12235424052013@News.Individual.NET>
References: <mr-983E88.11221424052013@News.Individual.NET> <87vc68ra57.fsf@araminta.anjou.terraraq.org.uk> <mr-05E7DC.11442724052013@News.Individual.NET> <87ppwgr8wz.fsf@araminta.anjou.terraraq.org.uk> <mr-794073.12134024052013@News.Individual.NET> <87k3mor85j.fsf@araminta.anjou.terraraq.org.uk>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Trace: individual.net lm1KYna/G/Nmr9glhRcviABNKPWRC8C7ilh3OWjtHH5rMEw/I=
X-Orig-Path: mr
Cancel-Lock: sha1:fV9DJwYJK4YYlOjwcWaEpha0C/4=
User-Agent: MT-NewsWatcher/3.5.2 (Intel Mac OS X)
X-Face: $@,Vfa$,)%=Qa7L]y)&oZj_\EiHc}}A<Y3TvbI2&|e"bE9zc[o<ThMgB4%*L$b1YsNl!/ <lHO$>f0Bei"4a_%)"c6TQ+P/:53>;PNGuWUmkqyeN-qM65foJ[;T_(k;>]&G\T4Lhm:2 ujye2_,iUJFE;NZn>y;.|-hl7g~bIOF1qG\o<?]4mXkW*mT3]{Bn&VwP7(M0uYnGA!V!? {"y?BkBDW6e-.=I5
X-Killfiled: yttrx, gallopinginsanity.com, Mark Kent, Maverick, NRen2, weedhopper, PC Guy, nospam@nospam.com, Oxford, Jim Lee Jr., Mocassin Joe, Chance Furlong, XX, Uncle Max, Joe Pain, Redjak, isquat@gmail.com, Robert Whelan, jt2002a@hotmail.com
Xref: csiph.com comp.os.linux.networking:2135 comp.os.linux.security:289 comp.infosystems.www.servers.unix:172

In article <87k3mor85j.fsf@araminta.anjou.terraraq.org.uk>,
 Richard Kettlewell <rjk@greenend.org.uk> wrote:

> >> >> While this will send a TCP reset to the misbehaving client, AIUI it will
> >> >> not send anything to your Apache, which by this point will have an open
> >> >> TCP connection and will be awaiting the start of the HTTP request.  It
> >> >> will presumably continue waiting up to some timeout.  You should be able
> >> >> to use netstat to confirm or refute this.
> >> >
> >> > Thank you for your reply. I thought "reject" just rejected the request 
> >> > and nothing came to Apache?
> >> 
> >> You’re rejecting a packet that is part of an already-established TCP
> >> connection.  iptables cannot go back in time and prevent the TCP
> >> connection from being established in the first place.
> >
> > Yes, like I said - I thought nothing came through to Apache.  But
> > looking at server-status, it seems it does anyway?
> 
> I don’t know how to put it any more clearly; I give up.

No, please don't. Maybe I am misunderstanding you? I am not trying to 
argue with you.

I thought that rejecting the TCP request in iptables blocked the request 
from ever reaching the httpd process. Obviously it isn't blocked from 
the *machine*, and I apologize if you thought that was what I meant.

Mind you, I don't get any HTTP requests in Apache, but it does increment 
the requests number in a rate faster than the normal requests I see.

You are free to call me stupid and ignorant about iptables/httpd here, 
of course, but I would still very much like to solve my problem even so 
:)


-- 
Sandman[.net]