Login

09-24-2009, 07:47 AM

[eluser]BrianDHall[/eluser]
Hm, I believe a modern Cisco firewall and possibly IDS (Intrusion Detection System) are capable of handling these problems when correctly configured. Using all available processes on a server sounds like it should be a lot of connections, so if done from a certain IP or range of IPs they should be able to figure out "Hey, there is no reason for anyone to create so many connections to the same resource...*kill*".

However, if they are using a set of zombie hosts from all sorts of IPs and each is creating a valid request then no, neither a router nor an IDS would likely see it and the attack would succeed - unless either has a rule about connections lasting longer than a set amount of time.

I believe this is a theoretical weakness in PHP itself in how it handles uploads, so I am not aware of anything that can be done from either a script or hardware perspective. I think a PHP script gets invoked until after the upload is already done and held temporarily on the server, so the weakness is already exploited before the script ever gets wind of it.

I would think something in PHP or some intermediate layer would need to be programmed specifically to look for these hanging, or very slow, socket connections and kill them - in effect there should be a max 'wait' time for connection and a minimum upload speed.

EDIT: Actually, I think the firewall or IDS should be able to figure out minimum connection speed or oddly long waiting for connection requests and terminate such connections, thereby freeing the server processes.

For all I know they already do, but we'd need a Cisco nerd to say for sure. That's way out of my depth.