You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by "Ivan Barrera A." <Br...@Ivn.cl> on 2005/04/18 22:24:50 UTC
Reading byte to byte from client request
Hi. I'm new to the list, and i hope not to be posting out of topic.
I've been trying to do this (read byte to byte the client request)
since a while, with no success. I've asked in the modules list also.
My idea is to be able to know the time between every char that
arrives. Why? because we've been atacked with some ddos script that
opens a socket, put a chat, wait a second, put another char, and so on.
I reproduced this script, and it works, consuming all http childs (or
threads) and noone is able to see my sites anymore.
Well. I've developed a mod that helps with this, but it still isn't
able to detect this kind of attack. I've read a lot, followed the source
code, and still don't understand where to put my filter (if there is any
place to do this) so i can get access to the "stream".
On another mod, i also want to do this, but in the output. So i can
determine the speed the client is downloading. (so i can make a better
bandwidth management mod).
could anyone tell me where to look ? or some example on how to do it ?
or simply.. if it cannot be done?
Thanks a lot for taking the time to read this.
Bruce.-
Re: Reading byte to byte from client request
Posted by "Ivan Barrera A." <Br...@Ivn.cl>.
>>>
>>>You should reimplement the core filter, which will allow you to drive
>>>network socket activity, even if mod_ssl is in place.
>>
>>i was afraid you might say that :)
>
>
> It's not nearly as difficult as you might imagine, took me about
> three days for mod_ftp's core filter replacement (had to poll both
> the data and control sockets.)
>
> Steal liberally from the core socket implementation.
>
> Whatever you do - do NOT READ BYTE AT A TIME, unless you want
> your 'solution' to be more toxic than the cure.
>
> Simply set a low-threshold timeout, and as an early poster pointed
> out, compare the request time with the accumulated time each time
> that the read pops.
Ok..
I'll try that... (i think i understood)
Thanks
Re: Reading byte to byte from client request
Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.
At 01:33 PM 4/20/2005, Ivan Barrera A. wrote:
>William A. Rowe, Jr. wrote:
>>At 11:23 AM 4/20/2005, Ivan Barrera A. wrote:
>>
>>>>>Ok.. i tought about that, but the problem arises when i need to check
>>>>>every byte.
>>>>>Why ? , because my input filter is getting control over when a line is
>>>>>entered. With a little perl script, i'm opening a socket and putting the
>>>>>same char over and over, with 2 seconds of delay between them. As i
>>>>>never put a CR-LF, my mod never gets the control to see this delay :(
>>>>
>>>>I don't think an input filter is the appropriate place to do time out checks.
>>>
>>>I also think that.. but then.. where ???
>>
>>You should reimplement the core filter, which will allow you to drive
>>network socket activity, even if mod_ssl is in place.
>
>i was afraid you might say that :)
It's not nearly as difficult as you might imagine, took me about
three days for mod_ftp's core filter replacement (had to poll both
the data and control sockets.)
Steal liberally from the core socket implementation.
Whatever you do - do NOT READ BYTE AT A TIME, unless you want
your 'solution' to be more toxic than the cure.
Simply set a low-threshold timeout, and as an early poster pointed
out, compare the request time with the accumulated time each time
that the read pops.
Re: Reading byte to byte from client request
Posted by "Ivan Barrera A." <Br...@Ivn.cl>.
William A. Rowe, Jr. wrote:
> At 11:23 AM 4/20/2005, Ivan Barrera A. wrote:
>
>
>>>>Ok.. i tought about that, but the problem arises when i need to check
>>>>every byte.
>>>>Why ? , because my input filter is getting control over when a line is
>>>>entered. With a little perl script, i'm opening a socket and putting the
>>>>same char over and over, with 2 seconds of delay between them. As i
>>>>never put a CR-LF, my mod never gets the control to see this delay :(
>>>
>>>I don't think an input filter is the appropriate place to do time out checks.
>>
>>I also think that.. but then.. where ???
>
>
> You should reimplement the core filter, which will allow you to drive
> network socket activity, even if mod_ssl is in place.
>
i was afraid you might say that :)
Thanks
Re: Reading byte to byte from client request
Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.
At 11:23 AM 4/20/2005, Ivan Barrera A. wrote:
>>>Ok.. i tought about that, but the problem arises when i need to check
>>>every byte.
>>>Why ? , because my input filter is getting control over when a line is
>>>entered. With a little perl script, i'm opening a socket and putting the
>>>same char over and over, with 2 seconds of delay between them. As i
>>>never put a CR-LF, my mod never gets the control to see this delay :(
>>
>>I don't think an input filter is the appropriate place to do time out checks.
>
>I also think that.. but then.. where ???
You should reimplement the core filter, which will allow you to drive
network socket activity, even if mod_ssl is in place.
Re: Reading byte to byte from client request
Posted by "Ivan Barrera A." <Br...@Ivn.cl>.
>>>
>>>Why not use the time since the start of the request instead?
>>>
>>
>>Ok.. i tought about that, but the problem arises when i need to check
>>every byte.
>>Why ? , because my input filter is getting control over when a line is
>>entered. With a little perl script, i'm opening a socket and putting the
>>same char over and over, with 2 seconds of delay between them. As i
>>never put a CR-LF, my mod never gets the control to see this delay :(
>
>
> I don't think an input filter is the appropriate place to do time out checks.
I also think that.. but then.. where ???
Re: Reading byte to byte from client request
Posted by Olaf van der Spek <ol...@gmail.com>.
On 4/20/05, Ivan Barrera A. <Br...@ivn.cl> wrote:
> Olaf van der Spek wrote:
> > On 4/20/05, Ivan Barrera A. <Br...@ivn.cl> wrote:
> >
> >>no chance ?
> >
> >
> > Why not use the time since the start of the request instead?
> >
>
> Ok.. i tought about that, but the problem arises when i need to check
> every byte.
> Why ? , because my input filter is getting control over when a line is
> entered. With a little perl script, i'm opening a socket and putting the
> same char over and over, with 2 seconds of delay between them. As i
> never put a CR-LF, my mod never gets the control to see this delay :(
I don't think an input filter is the appropriate place to do time out checks.
Re: Reading byte to byte from client request
Posted by Olaf van der Spek <ol...@gmail.com>.
On 4/20/05, Ivan Barrera A. <Br...@ivn.cl> wrote:
> no chance ?
Why not use the time since the start of the request instead?
Re: Reading byte to byte from client request
Posted by "Ivan Barrera A." <Br...@Ivn.cl>.
no chance ?
Ivan Barrera A. wrote:
> Hi. I'm new to the list, and i hope not to be posting out of topic.
>
> I've been trying to do this (read byte to byte the client request)
> since a while, with no success. I've asked in the modules list also.
> My idea is to be able to know the time between every char that arrives.
> Why? because we've been atacked with some ddos script that opens a
> socket, put a chat, wait a second, put another char, and so on. I
> reproduced this script, and it works, consuming all http childs (or
> threads) and noone is able to see my sites anymore.
> Well. I've developed a mod that helps with this, but it still isn't
> able to detect this kind of attack. I've read a lot, followed the source
> code, and still don't understand where to put my filter (if there is any
> place to do this) so i can get access to the "stream".
>
> On another mod, i also want to do this, but in the output. So i can
> determine the speed the client is downloading. (so i can make a better
> bandwidth management mod).
>
> could anyone tell me where to look ? or some example on how to do it ?
> or simply.. if it cannot be done?
>
> Thanks a lot for taking the time to read this.
>
> Bruce.-
>