If you use apache... Must read
Moderator: General Moderators
- Jonah Bron
- DevNet Master
- Posts: 2764
- Joined: Thu Mar 15, 2007 6:28 pm
- Location: Redding, California
Re: If you use apache... Must read
I agree. If you could take down my website with a program running on a phone, I would say it's a bug, not a feature.
Re: If you use apache... Must read
Well, I could bring this site down by using an SYN flood attack.... So, stop using TCP!
I could bring this site down by using an UDP flood attack.... So, stop using UDP!
And now what?!?!
But there is a mod_antiloris, so lets continue using Apache!
I.e. all features are "buggy", "exploitable" by default, but there are some defenses we could use.
Also, it doesn't matter what resource one would have to use in order to have a successful attack - when it comes to security nothing matters.
I could bring this site down by using an UDP flood attack.... So, stop using UDP!
And now what?!?!
But there is a mod_antiloris, so lets continue using Apache!
I.e. all features are "buggy", "exploitable" by default, but there are some defenses we could use.
Also, it doesn't matter what resource one would have to use in order to have a successful attack - when it comes to security nothing matters.
There are 10 types of people in this world, those who understand binary and those who don't
Re: If you use apache... Must read
What's a "dialup user"? I've heard about it some time ago...josh wrote:...legitimate dialup users ...
There are 10 types of people in this world, those who understand binary and those who don't
- Jonah Bron
- DevNet Master
- Posts: 2764
- Joined: Thu Mar 15, 2007 6:28 pm
- Location: Redding, California
Re: If you use apache... Must read
I'm not sure how that makes sense. For example, it would take practically forever to decrypt a SHA-512 password, but it's possible. Does that mean we should stop using SHA-512? No, because it's a practical solution. MD5 is very easy to decrypt. Does that mean we should stop using MD5? Yes.VladSun wrote:Also, it doesn't matter what resource one would have to use in order to have a successful attack - when it comes to security nothing matters.
If it takes at least as much resources to take down a server as the server itself has, okay. If you can take it down with an 8-bit processor on dialup, then no: there's something that needs to be fixed.
What a funny name. Almost sounds like it's internet signals over telephone wire. But seriously, it's not too far behind. I only have (very expensive) wireless high-speed internet available.VladSun wrote:What's a "dialup user"? I've heard about ot some time ago...
Re: If you use apache... Must read
I agree with the above. For example if its very easy to break into a bank, you would consider that a flaw with the bank's security, although technically strong security can still be exploited, it would be considered a flaw. I think the same analogy transfers over to the virtual world of security.
PS > You can't take down these forums with a SYN flood, without using a comparable amount of bandwidth to that of the server. With a slowloris attack, you could knock Google offline (with all their data centers), for example, with a 56k modem. [1]
1 - Yes I know Google is not actually vulnerable to slowloris, but if they were this statement would hold true.
So with vulnerabilities I guess you have to rank it on a spectrum, there is dark gray and light gray area so to speak, there is no black & white clear cut definition of a "bug". Considering this spectrum, slowloris is "very dark gray".
PS > You can't take down these forums with a SYN flood, without using a comparable amount of bandwidth to that of the server. With a slowloris attack, you could knock Google offline (with all their data centers), for example, with a 56k modem. [1]
1 - Yes I know Google is not actually vulnerable to slowloris, but if they were this statement would hold true.
So with vulnerabilities I guess you have to rank it on a spectrum, there is dark gray and light gray area so to speak, there is no black & white clear cut definition of a "bug". Considering this spectrum, slowloris is "very dark gray".