If you use apache... Must read

Ye' old general discussion board. Basically, for everything that isn't covered elsewhere. Come here to shoot the breeze, shoot your mouth off, or whatever suits your fancy.
This forum is not for asking programming related questions.

Moderator: General Moderators

User avatar
Jonah Bron
DevNet Master
Posts: 2764
Joined: Thu Mar 15, 2007 6:28 pm
Location: Redding, California

Re: If you use apache... Must read

Post by Jonah Bron »

I agree. If you could take down my website with a program running on a phone, I would say it's a bug, not a feature.
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: If you use apache... Must read

Post by VladSun »

Well, I could bring this site down by using an SYN flood attack.... So, stop using TCP!
I could bring this site down by using an UDP flood attack.... So, stop using UDP!
And now what?!?!

But there is a mod_antiloris, so lets continue using Apache!

I.e. all features are "buggy", "exploitable" by default, but there are some defenses we could use.

Also, it doesn't matter what resource one would have to use in order to have a successful attack - when it comes to security nothing matters.
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: If you use apache... Must read

Post by VladSun »

josh wrote:...legitimate dialup users ...
What's a "dialup user"? I've heard about it some time ago... :twisted:
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
Jonah Bron
DevNet Master
Posts: 2764
Joined: Thu Mar 15, 2007 6:28 pm
Location: Redding, California

Re: If you use apache... Must read

Post by Jonah Bron »

VladSun wrote:Also, it doesn't matter what resource one would have to use in order to have a successful attack - when it comes to security nothing matters.
I'm not sure how that makes sense. For example, it would take practically forever to decrypt a SHA-512 password, but it's possible. Does that mean we should stop using SHA-512? No, because it's a practical solution. MD5 is very easy to decrypt. Does that mean we should stop using MD5? Yes.

If it takes at least as much resources to take down a server as the server itself has, okay. If you can take it down with an 8-bit processor on dialup, then no: there's something that needs to be fixed.
VladSun wrote:What's a "dialup user"? I've heard about ot some time ago...
What a funny name. Almost sounds like it's internet signals over telephone wire. But seriously, it's not too far behind. I only have (very expensive) wireless high-speed internet available.
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Re: If you use apache... Must read

Post by josh »

I agree with the above. For example if its very easy to break into a bank, you would consider that a flaw with the bank's security, although technically strong security can still be exploited, it would be considered a flaw. I think the same analogy transfers over to the virtual world of security.

PS > You can't take down these forums with a SYN flood, without using a comparable amount of bandwidth to that of the server. With a slowloris attack, you could knock Google offline (with all their data centers), for example, with a 56k modem. [1]

1 - Yes I know Google is not actually vulnerable to slowloris, but if they were this statement would hold true.

So with vulnerabilities I guess you have to rank it on a spectrum, there is dark gray and light gray area so to speak, there is no black & white clear cut definition of a "bug". Considering this spectrum, slowloris is "very dark gray".
Post Reply