Page 2 of 2
Re: If you use apache... Must read
Posted: Sun Dec 19, 2010 3:25 pm
by Jonah Bron
I agree. If you could take down my website with a program running on a phone, I would say it's a bug, not a feature.
Re: If you use apache... Must read
Posted: Sun Dec 19, 2010 6:16 pm
by VladSun
Well, I could bring this site down by using an SYN flood attack.... So, stop using TCP!
I could bring this site down by using an UDP flood attack.... So, stop using UDP!
And now what?!?!
But there is a mod_antiloris, so lets continue using Apache!
I.e. all features are "buggy", "exploitable" by default, but there are some defenses we could use.
Also, it doesn't matter what resource one would have to use in order to have a successful attack - when it comes to security nothing matters.
Re: If you use apache... Must read
Posted: Sun Dec 19, 2010 6:26 pm
by VladSun
josh wrote:...legitimate dialup users ...
What's a "dialup user"? I've heard about it some time ago...

Re: If you use apache... Must read
Posted: Sun Dec 19, 2010 6:35 pm
by Jonah Bron
VladSun wrote:Also, it doesn't matter what resource one would have to use in order to have a successful attack - when it comes to security nothing matters.
I'm not sure how that makes sense. For example, it would take practically forever to decrypt a SHA-512 password, but it's possible. Does that mean we should stop using SHA-512? No, because it's a
practical solution. MD5 is very easy to decrypt. Does that mean we should stop using MD5? Yes.
If it takes
at least as much resources to take down a server as the server itself has, okay. If you can take it down with an 8-bit processor on dialup, then no: there's something that needs to be fixed.
VladSun wrote:What's a "dialup user"? I've heard about ot some time ago...
What a funny name. Almost sounds like it's internet signals over telephone wire. But seriously, it's not too far behind. I only have (very expensive) wireless high-speed internet available.
Re: If you use apache... Must read
Posted: Sun Dec 19, 2010 9:23 pm
by josh
I agree with the above. For example if its very easy to break into a bank, you would consider that a flaw with the bank's security, although technically strong security can still be exploited, it would be considered a flaw. I think the same analogy transfers over to the virtual world of security.
PS > You can't take down these forums with a SYN flood, without using a comparable amount of bandwidth to that of the server. With a slowloris attack, you could knock Google offline (with all their data centers), for example, with a 56k modem. [1]
1 - Yes I know Google is not actually vulnerable to slowloris, but if they were this statement would hold true.
So with vulnerabilities I guess you have to rank it on a spectrum, there is dark gray and light gray area so to speak, there is no black & white clear cut definition of a "bug". Considering this spectrum, slowloris is "very dark gray".