Mailing List Archive

Fix for Cascade
Hello,

I was having trouble with the roving Nimda scanners causing my Backhand
cluster going into a cascade were requests are passed between nodes
indefinitely and never get serviced.

I have dicovered a work around. I have added a test for HTTP 1.0+ to the top
of the backhand_post_read_request routine.

Example:

if(r->protocol && strncmp(r->protocol, "HTTP/1", 6)!=0) {
ap_log_error(APLOG_MARK, APLOG_NOTICE|APLOG_NOERRNO, NULL,
"(Postread =>) = { FLAG: Aborting, Protocol is :%s}",
r->protocol);

return DECLINED;

}

This takes care of the situation where a corrupted request is entered with
no method (Eg. http://yada.yada.com HTTP/1.0) or no protocol (Eg. GET
http:/yada.yada.com).

If the protocol is not specified, like the poorly written exploit scanner
that alerted me to this, then it is defaulted to HTTP/0.9, but the request
is never handled properly by mod_backhand. It just gets passed from node to
node, with no request ever being finished and returned, more and more
subrequests are created and backhanded to other nodes. Result, catastrophic
cascade that causes a DOS condition.

I also noticed the logging in backhand_post_read_request never seems to get
triggered. Even when full logging is enabled with the following:

BackhandLogLevel +netall
BackhandLogLevel +mbcsall
BackhandLogLevel +dcsnall

The (Postread =>) log messages never get written in the logs. The
conditional logic looks identical to other phases that showup correctly in
the logs, but this phase never logs anything? Anyone else notice this?

Dennis Cartier

---
The man with tremendous wealth is a paradox: he has to be smart enough to
get it, yet stupid enough to want it. - Chesterton