Wilmore Precision Lawnmower Marching Brigade

Jul 04, 2009 0 Comments

No doubt you've heard about it for years. Now you can see it. The Wilmore Precision Lawnmower Marching Brigade, an annual favorite part of the Wilmore Fourth of July Parade, in Wilmore, Kentucky.

mod_pony

Jun 25, 2009 3 Comments and

mod_pony has been a pretty long-standing joke on #httpd on Freenode, and has also made a number of appearances in conference presentations of mine when I wanted to refer to an imaginary module for some reason.

I'm pleased to announce that there is now actually a mod_pony. It really doesn't do anything useful. But it does build, and output a pony. And, really, what more could one possibly want?

Patches welcome.

(See mod_pony in action HERE.)

Hypocrisy

Jun 23, 2009 1 Comment

What you see here is the cover of the new People magazine.

Other than the quote, which is sure to be a favorite of her daughter once she can read, this looks like a promotion for teen pregnancy. She's beaming, obviously very pleased with herself. Girls everywhere are going to be saying, wow, where can I get me one of those?

And, according to MSN, she's going to make more than a quarter mil on the photos. What's not to love. Better run out and get preggers as fast as you can.

It would be lying to say I'm shocked by the startlingly bad judgement of this magazine. I lost my last shred of respect for the media years ago. But surely, somewhere along the chain of command, someone has a daughter? Even one of you? Show at least a scrap of common sense, would you?

The Perfect Bag

Jun 22, 2009 0 Comments , and

Satchel

I've been on a search for the perfect bag for quite some time.

I carry a lot of stuff, and I hate having my pants pockets loaded down. There's the wallet and phone and pens and ipod, for starters. But there's also the keys and knife and ... Am I becoming Ken Coar?

I want something that's small - I already carry a backpack most places - but big enough for the stuff listed above. And it needs to be neither effeminate and purse-like, nor have the uber-geek-ness of a fanny pack.

I finally found The Ultimate Bag. It's awesome. It's got everything. It really has only one drawback - the price tag.

Now, with a 100 year warranty, and such an aura of awesomeness, perhaps $115 is in fact pretty reasonable. But I don't actually have it at this moment. But what I do have is an awesome brother who lives in the place where they have amazing leather artisans on every street corner. I showed him the picture, and he arrived last week with The Perfect Bag.

At first, I thought it was a little small, because my Moleskine didn't fit in it, but the more I use it, the more I love it. I think it might actually be the perfect size. It's really well made. The stitches are small. The stress points are riveted. The inside has a nice lining. And the whole thing is that wonderful honey-brown color that will, I'm sure, darken with time and use. It doesn't have any zippers or snaps to break or wear out, so I think it's going to last a long time.

Whether they'll fight over it when I'm dead, I'm not sure, but that's a concession I'm willing to make.

Slowloris

Jun 21, 2009 2 Comments and

No doubt you've heard of Slowloris, the HTTP DOS tool that will take down an Apache web server. I recommend reading the update at that site, which describes in some detail how it works.

Note that this condition is also covered in the Apache documentation, and, according to svn, that was put in:

r369825 | slive | 2006-01-17

So we've known about it for a *long* time.

What I can't figure out is whether it's really not that big a deal, or if I'm dismissing the importance because I've known about it for so long. I've known for a *long* time that you can take down an Apache server with nothing more than a telnet client. You telnet to port 80, issue a partial HTTP request, and then bg the process, then do it again.

The way that the attack works is that Apache then waits for the rest of the request, until it hits the timeout (configurable with the Timeout directive). This completely ties up that listener, so that it can't answer any other inbound requests. Unfortunately, by default, Timeout is set to 300. And Apache only has a finite number of available waiting processes (Configurable by MaxClients.) So you do that MaxClient times within Timeout seconds, and, viola, the server is now no longer able to respond to inbound requests.

That's exactly what the slowloris tool does, in a more automated fashion.

So, what to do about it?

Well, set Timeout lower. And use mod_evasive to limit the number of connections from one host. And use mod_security to deny requests that look like they were issued by this tool. However, that last one doesn't really help, because it's trivial to change the signature of requests from this tool.

On the other hand, this attack - or exploit, if you want to call it that - has been around for years, and hasn't been a very popular attack vector. What this tool has done is not so much discovering an attack - we already knew about it - but let the larger number of script kiddies know about it. So presumably we'll see it happen more often than we used to.

So, what to do about it longer term? Well, in Apache 3.0, or 2.4, with the event mpm and asynchronous IO, it will apparently be a non-issue. Another of the *many* compelling reasons to upgrade to 2.4 just as soon as it releases - something else that I need to write more about in the coming days.

Additional resources:

Niq's response
Apache security documentation
Slowloris website
mod_evasive

 1 2 3 … 367 Next →

About

Here dies another day during which I have had eyes, ears, hands and the great world round me; And with tomorrow begins another. Why am I allowed two? (Evening, by Chesterton)