Code Red HELP!!!!
Thu, 9 Aug 2001 18:50:51 -0500 (CDT)
Recently, Ian Jones wrote:
> > > iptables -I INPUT -i eth0 -p tcp --tcp-flags ACK ACK --dport 80 \
> > > -m string --string '/default.ida?' -j REJECT --reject-with
> > > tcp-reset
> If you tear it down from another machine than the webserver then yes, your
> server has a connection in FIN_RCVD (still not ESTABLISHED, right?) so it
> will eventually send a FIN as you said.
The threeway handshake is completed before data is sent over the
connection. Therefore, the connection is in ESTABLISHED state. (Why the
heck would it be in FIN_RCVD, when no FIN was received?)
> I would think that accept(2) only returns a file descriptor for
> reading after the hanshake is complete, but I am certainly willing to
> be wrong.
You're wrong. :) accept(2) returns when the handshake is complete, not
when data is waiting to be read.
If you use that iptables line, the webserver child will sit idle for a
couple of minutes for each Code Red request, consuming memory and a socket
and counting towards the maximum number of children for Apache. This is
worse than just processing the request, returning a 404, and exiting.
(Unless the webserver is unpatched IIS, but it still isn't a good
Scottie Shore <email@example.com>
"Experience is that marvelous thing that enables you to recognize
a mistake when you make it again." -- F. P. Jones