[WEB SECURITY] RFC 2616

Tom Mason TMason at golfbreaks.com
Mon May 9 11:15:12 EDT 2005


Aren't DOS attacks an unavoidable consequence of the inherent openness
of HTTP?  To eradicate the possibility of DOS attacks, wouldn't we have
to modify HTTP to not allow unauthenticated connections (which is what
makes the web so great in the first place)?

Or is a DoS attack on a proxy something different that I don't know
about?

Tom Mason - IT Developer
www.golfbreaks.com

-----Original Message-----
From: Jeremiah Grossman [mailto:jeremiah at whitehatsec.com] 
Sent: 09 May 2005 15:50
To: websecurity at webappsec.org
Subject: Re: [WEB SECURITY] RFC 2616



Having thought I've been over the HTTP RFC's to a nauseous extent, I was
surprised to find that line in there.  I wonder if we can contact the
authors and see what they really had in mind. Anyone on the list know
them well enough to ask?


On Monday, May 9, 2005, at 07:44  AM, Ryan Barnett wrote:

> FUD-olicious, indeed :)  Now to answer your question specifically - 
> no, I don't know who is currently doing research, or what data they 
> have.

> Keep in mind that 2616 was written back in 99.  It wasn't too long 
> after that when the big DDoS attacks occured knocking out Ebay, Yahoo,

> etc....  That is why I don't think that they were referring to any 
> specific proxy/layer 7 DoS attacks, but rather the impact of taking 
> out a proxy with a DoS attack.
>
> While not a DoS attack against a proxy, you might find HTTP Response 
> Splitting interesting - 
> http://www.webappsec.org/projects/threat/classes/
> http_response_splitting.shtml
>
> --
> Ryan C. Barnett
> Web Application Security Consortium (WASC) Member SANS Instructor: 
> Securing Apache GCIA, GCFA, GCIH, GCUX, GSEC
>
> On 5/9/05, TheGesus <thegesus at gmail.com> wrote:
>> Ominously states....
>> ====================================
>> 15.7.1 Denial of Service Attacks on Proxies
>>
>>   They exist. They are hard to defend against. Research continues.   
>> Beware.
>> ====================================
>>
>> Any idea who's doing the research and what they have so far?
>>
>> BTW, if you Google "Denial of Service Attacks on Proxies" you get ~11

>> pages worth of...
>>
>> "They exist. They are hard to defend against. Research continues.   
>> Beware."
>>
>> Now I can't sleep at night.
>>
>> ---------------------------------------------------------------------
>> The Web Security Mailing List
>> http://www.webappsec.org/lists/websecurity/
>>
>>
>
> ---------------------------------------------------------------------
> The Web Security Mailing List
> http://www.webappsec.org/lists/websecurity/
>


---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/


---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/



More information about the websecurity mailing list