Path: csiph.com!v102.xanadu-bbs.net!xanadu-bbs.net!feeder.erje.net!eu.feeder.erje.net!newsfeed.fsmpi.rwth-aachen.de!news-1.dfn.de!news.dfn.de!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail From: Sandman Newsgroups: comp.os.linux.networking,comp.os.linux.security,comp.infosystems.www.servers.unix Subject: Re: wpad.dat attack on Linux Apache server Date: Fri, 24 May 2013 12:13:40 +0200 Lines: 22 Message-ID: References: <87vc68ra57.fsf@araminta.anjou.terraraq.org.uk> <87ppwgr8wz.fsf@araminta.anjou.terraraq.org.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Trace: individual.net szJCr1k0KMSwX8tkZVhQmwbp5l4E6gnvRnLZL/fJS2e9kuv48= X-Orig-Path: mr Cancel-Lock: sha1:kSl0Ygp9X3QIJ7ImBKBOOpcTua0= User-Agent: MT-NewsWatcher/3.5.2 (Intel Mac OS X) X-Face: $@,Vfa$,)%=Qa7L]y)&oZj_\EiHc}}Af0Bei"4a_%)"c6TQ+P/:53>;PNGuWUmkqyeN-qM65foJ[;T_(k;>]&G\T4Lhm:2 ujye2_,iUJFE;NZn>y;.|-hl7g~bIOF1qG\o, Richard Kettlewell wrote: > >> While this will send a TCP reset to the misbehaving client, AIUI it will > >> not send anything to your Apache, which by this point will have an open > >> TCP connection and will be awaiting the start of the HTTP request. It > >> will presumably continue waiting up to some timeout. You should be able > >> to use netstat to confirm or refute this. > > > > Thank you for your reply. I thought "reject" just rejected the request > > and nothing came to Apache? > > You’re rejecting a packet that is part of an already-established TCP > connection. iptables cannot go back in time and prevent the TCP > connection from being established in the first place. Yes, like I said - I thought nothing came through to Apache. But looking at server-status, it seems it does anyway? -- Sandman[.net]