[WEB SECURITY] RFC 2616

Jeremiah Grossman jeremiah at whitehatsec.com
Mon May 9 10:50:05 EDT 2005



Having thought I've been over the HTTP RFC's to a nauseous extent, I  
was surprised to find that line in there.  I wonder if we can contact  
the authors and see what they really had in mind. Anyone on the list  
know them well enough to ask?


On Monday, May 9, 2005, at 07:44  AM, Ryan Barnett wrote:

> FUD-olicious, indeed :)  Now to answer your question specifically -
> no, I don't know who is currently doing research, or what data they
> have.

> Keep in mind that 2616 was written back in 99.  It wasn't too long
> after that when the big DDoS attacks occured knocking out Ebay, Yahoo,
> etc....  That is why I don't think that they were referring to any
> specific proxy/layer 7 DoS attacks, but rather the impact of taking
> out a proxy with a DoS attack.
>
> While not a DoS attack against a proxy, you might find HTTP Response
> Splitting interesting -
> http://www.webappsec.org/projects/threat/classes/ 
> http_response_splitting.shtml
>
> -- 
> Ryan C. Barnett
> Web Application Security Consortium (WASC) Member
> SANS Instructor: Securing Apache
> GCIA, GCFA, GCIH, GCUX, GSEC
>
> On 5/9/05, TheGesus <thegesus at gmail.com> wrote:
>> Ominously states....
>> ====================================
>> 15.7.1 Denial of Service Attacks on Proxies
>>
>>   They exist. They are hard to defend against. Research continues.   
>> Beware.
>> ====================================
>>
>> Any idea who's doing the research and what they have so far?
>>
>> BTW, if you Google "Denial of Service Attacks on Proxies" you get ~11
>> pages worth of...
>>
>> "They exist. They are hard to defend against. Research continues.   
>> Beware."
>>
>> Now I can't sleep at night.
>>
>> ---------------------------------------------------------------------
>> The Web Security Mailing List
>> http://www.webappsec.org/lists/websecurity/
>>
>>
>
> ---------------------------------------------------------------------
> The Web Security Mailing List
> http://www.webappsec.org/lists/websecurity/
>


---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/



More information about the websecurity mailing list