Slowloris and You

UPDATE: 20090826 – Corrected typo in “Slowloris and You.” It used to say “Slowlaris and You.” I keep getting slowloris confused with my nickname for “Solaris.” =D

Back in July, http://ha.ckers.org/slowloris/ published an exploit against Apache and other web servers (go to the link for further) that takes advantage of multi-threaded applications. It works by tying up web server threads with partial HTTP requests, then sends TCP handshakes to keep the socket open. In general, multi-threaded web servers such as httpd, apache, and apache2 are vulnerable. IIS and most proxies are not vulnerable


CERT suggested using iptables to rate limit incoming port 80 requests. In general, this should be fine for many applications, though CERT has warned that some large clients behind NAT’s may be affected and thus the hitcount/time ratio should be adjusted according to your needs.


http://www.funtoo.org/en/security/slowloris/ offers tips on mitigating this attack by enabling delayed binding on hardware load balancers.

In short, it appears as though the consensus mitigation method involves connection restrictions in the form of iptables or apache modules (most are of limited value, frankly), or shielding the web servers behind load balancers (such as HA-Proxy).

August 26th, 2009 | jim | Tags: , , , .
Categories: Apache, DoS, Internet, Linux, Security | Comments: No Comments

Google Wave Set for Limited Release in September

Well, it looks like after much ado, Google is prepared to release its new Wave product (a revolutionary communication tool that blends the aspects of instant messaging, document collaboration, and e-mail), in September to a limited number of end-users.

Sign up here, and continue to watch for updates here.

July 23rd, 2009 | jim | Tags: .
Categories: Internet | Comments: No Comments

e-Mail

If you don’t have to host your own email server, why do it? In fact, if any web facing application on your site can be hosted by dedicated specialists with no real appreciable loss to availability, confidentiality, integrity, or other factor, don’t fall victim of the do-it-just-because-you-can mentality. The chief services I advise folks to outsource are e-mail (IMAP/POP/SMTP), and DNS. These critical services are often in better hands with the likes of Google Apps, with your registrar, or OpenDNS (not necessarily an endorsement as these names are just on the top of my head). These folks can dedicate a lot more fault-tolerant capacity than most, taking charge of security and systems management. On top of that, they sell it mostly likely because they’re good at it (there are no doubt exceptions, but not with the above two links). With configuration and maintenance out of your scope of responsibility, you don’t have to spend countless hours tracing emails or checking DNS proliferation. Get a quote and do an analysis. If the amount of time you save by outsourcing some services is worth the price you pay to do so, then it’s a no-brainer, really.

Note: Speaking of checking all that stuff: some neat online tools: MX Toolbox, DNSStuff, and IPTools are some handy websites in regards to mail or DNS.

June 24th, 2009 | jim | Tags: , , , , , .
Categories: Administrative, Infrastructure, Internet | Comments: No Comments

Active Versus Passive FTP on Windows 2003

For the first bit, please refer to Slacksite’s article for an excellent writeup on the difference between Active and Passive FTP.

Windows IIS’s FTP server is configured to use ports 1025-5000 for Passive FTP traffic by default. You can follow the steps at Microsoft’s support page to change the Passive FTP port range.

To enable Passive FTP, Windows Firewall must be configured to allow traffic from these ports. After verifying that the above port range is what you would like open to FTP traffic, each port number must be opened one by one. However, a simple script to automate this process is described here.

And here is a random link (ok, the link itself isn’t random, but the link behind the link is).

June 18th, 2009 | jim | Tags: , , , .
Categories: Internet, Windows | Comments: No Comments

Conficker Update Part 3

According to http://forum.drweb.com/index.php?showtopic=277240 , Win32.HLLW.Shadow.based is a a variant of Conficker/downadup.

Symptom: Every available port from 1024-5000 is used to connect to various servers on destination port 445. Basically, the worm opens these connections to download and wait for malicious binaries.

The removal tools at http://www.bdtools.net/ does not detect this variant, and you have to use Dr.Web’s Cureit to detect and remove it. According to them, the recommended procedure is to install the following hotfixes:
* MS08-067
(http://www.microsoft.com/technet/security/bulletin/ms08-067.mspx);

* MS08-068
(http://www.microsoft.com/technet/security/bulletin/ms08-068.mspx);

* MS09-001
(http://www.microsoft.com/technet/security/bulletin/ms09-001.mspx).

And then run Cureit, a fully functional shareware app.

In case you’re reading this from an infected server, I’ve downloaded and included some of these files here (because if you’re infected, you won’t be able to access certain sites, drweb.com being one).

June 12th, 2009 | jim | Tags: , , , , , .
Categories: Internet, Security, Virii, Windows | Comments: No Comments

« Previous PageNext Page »