Phase for controlling network input?

[Bill McGonigle <mc...@medicalmedia.com>]

I'm hoping this is possible with mod_perl, since I'm already familiar 
with it and fairly allergic to c, but can't seem to figure out the right 
phase.

I've been seeing log files recently that point to a certain DDOS attack 
brewing on apache servers.  I want to write a module that keeps a timer 
for the interval from when the apache child gets a network connection to 
when the client request has been sent.

I need a trigger when a network connection is established and a trigger 
when apache thinks it has received the request (before the response).

PerlChildInitHandler seems too early, since the child may be a 
pre-forked child without a connection.  PerlPostReadRequest seems too 
late since I can't be guaranteed of being called if the request isn't 
complete, which is the problem I'm trying to solve.  I could clear a 
flag in PerlPostReadRequest, but that would imply something is 
persisting from before that would be able to read the flag.

Maybe I'm think about this all wrong.  Any suggestions?

Thanks,
-Bill

Re: Perl Scripting help

[Brian Reichert <re...@numachi.com>]

On Thu, Sep 27, 2001 at 09:22:41AM +1000, Matthew Blacklow wrote:
> I am writing a script at the moment which among others things creates
> another process using the system call.
> What I need to do is capture the screen output of this process into a string
> variable so that it can latter be manipulaterd. ie. capture the STDOUT.

This isn't the right forum for this, really, but assuming you mean
STDOUT/STDERR, consider this:

  <http://www.cpan.org/authors/id/R/RE/REICHERT/System2-0.81.tar.gz>

> Any help, suggestions or sample code would be appreciated.
> 
> Thanks,
> Matthew

-- 
Brian 'you Bastard' Reichert		<re...@numachi.com>
37 Crystal Ave. #303			Daytime number: (603) 434-6842
Derry NH 03038-1713 USA			Intel architecture: the left-hand path

Re: Perl Scripting help

[Ray Graham <rg...@lsil.com>]

You'll need to use the backticks instead of the system call.

$output = `command`;

To get each line of the output, you'll need to split off of \n.

-Ray Graham

Re: Perl Scripting help

["Ken Y. Clark" <kc...@logsoft.com>]

On Thu, 27 Sep 2001, Matthew Blacklow wrote:

> Date: Thu, 27 Sep 2001 09:22:41 +1000
> From: Matthew Blacklow <ma...@ticca.com>
> To: modperl@apache.org
> Subject: Perl Scripting help
>
> I am writing a script at the moment which among others things creates
> another process using the system call.
> What I need to do is capture the screen output of this process into a string
> variable so that it can latter be manipulaterd. ie. capture the STDOUT.
>
> Any help, suggestions or sample code would be appreciated.
>
> Thanks,
> Matthew

Matthew,

This isn't the right forum for general Perl help.  Generally speaking,
you should only post mod_perl-specific questions.  If your question is
how best to capture STDOUT from an external program from within a
mod_perl program, then I might suggest you examine something like
Apache::SubProcess or just search The Guide
(http://perl.apache.org/guide) or use Google to search the web for
your answer -- all of which is not to say that you couldn't just
backtick your program and capture the output in a scalar.  There's
lots of information on this.  `perldoc perlop` and look for
"backtick," or, again, use Google to look for your answer.  Or
consider posting your question to an audience who will be more likely
to answer your question, like comp.lang.perl.misc.

ky

Perl Scripting help

[Matthew Blacklow <ma...@ticca.com>]

I am writing a script at the moment which among others things creates
another process using the system call.
What I need to do is capture the screen output of this process into a string
variable so that it can latter be manipulaterd. ie. capture the STDOUT.

Any help, suggestions or sample code would be appreciated.

Thanks,
Matthew

Re: Phase for controlling network input?

[Bill McGonigle <mc...@medicalmedia.com>]

On Wednesday, September 26, 2001, at 11:58 , Simon Rosenthal wrote:

> I'm not sure that any mod_perl handlers are dispatched until the whole 
> request is received, so you may have to deal with this at the core 
> Apache level.

I was expecting as much, just hoping it wasn't true. ;)

>
> I think the following is your best bet (from 
> http://httpd.apache.org/docs/mod/core.html#timeout )
>
>> TimeOut directive

Yeah, the trick is I need to do a per-IP rule and not take out 
high-latency users.

> We've  experienced this kind of attack inadvertently (as the result of 
> a totally misconfigured HTTP client app which froze in the middle of 
> sending an HTTP request ;=) but I wasn't aware that there were known 
> attacks based on that.

Known as in experienced in the wild, no, but folks on nanog are talking 
about strange log file entries.  For instance I see blocks of 408's at 
very very regular intervals from the same clients, of unknown origin.  I 
wrote a proof-of-concept exploit that takes out my (stock config) Apache 
server for 6 minutes (from one client), and the math says that 30-or-so 
machines in a DDOS would tie up my Apache indefinitely no matter how I 
configured it (anything that would reasonably allow normal users to 
connect successfully).  I got a higher hit frequency from nimda than 
that, so everything is in place for it to happen.  I'm attempting the 
ounce of prevention.

I wrote to the apache security list about it, with a proposed fix, but 
have received no response, so I'm investigating doing it myself.  I 
don't think I know apache internals well enough, though I'm not bad with 
mod_perl.  If anyone good with apache c is interested I'm happy to share 
full details off-list.

-Bill
-----
Bill McGonigle
Research & Development
Medical Media Systems, Inc.
http://www.medicalmedia.com
+1.603.298.5509x329

Re: Phase for controlling network input?

[Simon Rosenthal <sr...@northernlight.com>]

I'm not sure that any mod_perl handlers are dispatched until the whole 
request is received, so you may have to deal with this at the core Apache 
level.

I think the following is your best bet (from 
http://httpd.apache.org/docs/mod/core.html#timeout )

>TimeOut directive
>
>Syntax: TimeOut number
>Default: TimeOut 300
>Context: server config
>Status: core
>
>The TimeOut directive currently defines the amount of time Apache will 
>wait for three things:
>
>    1.The total amount of time it takes to receive a GET request.
>    2.The amount of time between receipt of TCP packets on a POST or PUT 
> request.
>    3.The amount of time between ACKs on transmissions of TCP packets in 
> responses.
>
>We plan on making these separately configurable at some point down the 
>road. The timer used to default to 1200 before 1.2, but has been lowered
>to 300 which is still far more than necessary in most situations. It is 
>not set any lower by default because there may still be odd places in the code
>where the timer is not reset when a packet is sent.


We've  experienced this kind of attack inadvertently (as the result of a 
totally misconfigured HTTP client app which froze in the middle of sending 
an HTTP request ;=) but I wasn't aware that there were known attacks based 
on that.

-Simon


At 11:09 AM 9/26/2001, Bill McGonigle wrote:
>I'm hoping this is possible with mod_perl, since I'm already familiar with 
>it and fairly allergic to c, but can't seem to figure out the right phase.
>
>I've been seeing log files recently that point to a certain DDOS attack 
>brewing on apache servers.  I want to write a module that keeps a timer 
>for the interval from when the apache child gets a network connection to 
>when the client request has been sent.
>
>I need a trigger when a network connection is established and a trigger 
>when apache thinks it has received the request (before the response).
>
>PerlChildInitHandler seems too early, since the child may be a pre-forked 
>child without a connection.  PerlPostReadRequest seems too late since I 
>can't be guaranteed of being called if the request isn't complete, which 
>is the problem I'm trying to solve.  I could clear a flag in 
>PerlPostReadRequest, but that would imply something is persisting from 
>before that would be able to read the flag.
>
>Maybe I'm think about this all wrong.  Any suggestions?
>
>Thanks,
>-Bill

-----------------------------------------------------
Simon Rosenthal (srosenthal@northernlight.com)
Web Systems Architect
Northern Light Technology
One Athenaeum Street. Suite 1700, Cambridge, MA  02142
Phone:  (617)621-5296: URL:  http://www.northernlight.com
"Northern Light - Just what you've been searching for"