[Zope] Responding to hackers

Passin, Tom tpassin@mitretek.org
Mon, 28 Oct 2002 16:48:11 -0500


 Skip Montanaro wrote:
> >     >> You might be able to slow them down.  Depending what=20
> sort of control
> >     >> you have over the HTTP bits stuffed on the wire,=20
> when you encounter
> >     >> requests for such pages, you can have the thread serving the
> >     >> connection slow its responses to a crawl, issue "100=20
> Continue"
> >     >> responses, etc.
> >=20
> >     Chris> Isn't this the same as a DOS attack on yur own server,=20
> > though?
> >=20
> > To avoid this problem you could cap the number of=20
> "sluggish" responses=20
> > at some figure, after which you simply fall back to regular 404=20
> > responses.
>

You know, I am not so sure you ought to go slowing down your responses
to these attacks.  It won't really affect the sending sites, since they
are done automatically and there is no one to get bored or irritated by
the slowness.  But it will slow down your own machine by tying up one or
more threads.

Why not just send a 403 response ("Forbidden") and walk through the
attacking sequence as fast as possible and be done with it?

As I recall from some of my testing on these attacks, if you give any
response that seems like a return, they go through their entire
repertoire.  A 403 still elicits part of the standard bag of tricks, but
less of it, IIRC.  403 was, I thought at the time, the best response in
terms of minimizing the number of requests in one of these attack
sequences.

Cheers,

Tom P