[Zope3-Users] Crash
Giovannetti, Mark
giovanne at nrcan.gc.ca
Mon Mar 12 11:55:53 EDT 2007
> -----Original Message-----
> From: David Johnson
>
> Our Zope 3.2.1 server is crashing and we cannot determine why.
>
> The last entry in the access.log is the following:
> 218.160.132.172 - - [10/Mar/2007:22:11:45 -0500] "CONNECT
> sextw.com.tw:25 HTTP/1.0" 404 0 "-" "-"
>
Hi David,
This is an attack on your server to attempt to proxy a
connection (CONNECT) to a third party SMTP (port 25) server
(sextw.com.tw). The CONNECT command (i.e. like POST, GET
and HEAD commands) is part of the HTTP RFC. It is normally
not needed on the vast majority of http servers and is
usually disabled. I do not know how zope3 handles this
case other than by your observed crash. Technically,
what you are experiencing is a Denial of Service (DoS).
This is only just slightly better than having the actual
CONNECT command succeed. If it succeeds then you have
just become a spam engine.
If you could get a packet capture of the incoming traffic
during one of these attacks you might be able to determine
how zope is answering.
I would recommend that you place zope behind an Apache
proxy server for its protection. Personally, I would rather
trust in Apache's robustness for dealing with internet threats
than (from my point of view) the relatively unhardened
internal implementation (twisted or otherwise) that zope 3
offers. By unhardened, I mean that zope 3 has not undergone
(to my knowledge) the many years of discovering and fixing
of security issues that apache has. I do not know the extent
to which zope 3 has undergone any security vulnerability analysis
and testing.
Both of the zope books explain how to place apache in front
of zope and it is quite straightforward.
Mark
--
613-947-1359
System Scientist / Scientifique, spécialiste des systèmes
Canada Centre for Remote Sensing / Centre canadien de télédéction
Natural Resources Canada, 588 Booth Street, Ottawa, Ontario, Canada, K1A 0Y7
Ressources naturelles Canada, 588 rue Booth, Ottawa, Ontario, Canada, K1A 0Y7
Government of Canada / Gouvernement du Canada
More information about the Zope3-users
mailing list