Tscott
Level: Smiter

Rank Points: 382
Registered: 02-10-2003
IP: Logged

I'm getting a message on every page I visit on this forum that it has blocked an intrusion attempt. When I ask for more info I'm told it's

HTTP Apache Redundant Slashes DoS
Severity: Medium

This attack could pose a moderate security threat. It does not require immediate action.

Description
This signature detects requests with excessive slash marks (/).

Additional Information

On versions of Apache prior to 1.2.5, the overhead involved in removing redundant slashes grows exponentially in relation to the number of slashes -- O(n^2). You would not have to strip a single slash, but if two slashes appeared together, you would have to strip one of them. If there were three, you would remove two, but it would take twice as long. If there were eleven, you would have to remove ten, and it would take 1024 times as long. If an attacker sends enough requests with redundant slashes, the attacker could keep all Apache processes busy removing redundant slashes and this would effectively halt system performance and Web service.

Affected:
Apache Software Foundation Apache prior to 1.2.5

Response
Upgrade to the newest version of Apache.

Possible False Positives
There are no known false positives associated with this signature.

As an apparent result of this, I can't see the folder icons or the Start New Thread/Poll buttons (I had to temporarilly disable Norton to start this thread). Also, pages here now load up slow for me or not at all. I also visit 3 other forums and I am having no problems on any of those, nor any other webpage I visit.

Things were fine here yesterday afternoon, but I first noticed this around midnight, central time, last night. I've run a full virus scan on my computer as well, and apart from Norton nuking 2 spyware files that got on my computer it found nothing unusual.

Any ideas what may be causing this? Are any other Norton users seeing anything similar?

____________________________
And I can recall our caravel: a little wicker beetle shell with four fine maste and lateen sails,
its bearings on Cair Paravel. O my love, O it was a funny little thing to be the ones to've seen.
-Joanna Newsom "Bridges and Balloons"

ErikH2000
Level: Legendary Smitemaster

Rank Points: 2794
Registered: 02-04-2003
IP: Logged

I think I fixed it. Try browsing again. Gads, Norton is one finicky customer. I suppose it is stopping you from viewing a web page, for *our* benefit, since the slash-fixing DoS would be on our server and not do anything harmful to your computer.

Schik, the edit options PHP adds an extra slash to the image URL each time you save changes. So it was looking like "http://www.drod.net/forum/images//////". And then I just edited it down, but maybe next time you're in that PHP you could look into the bug.

-Erik

____________________________
The Godkiller - Chapter 1 available now on Steam. It's a DROD-like puzzle adventure game.
dev journals | twitch stream | youtube archive (NSFW)

Tscott
Level: Smiter

Rank Points: 382
Registered: 02-10-2003
IP: Logged

That was quick. Everything seems okay now.

I agree Norton's seems really picky. To the best of my knowledge I have nothing on my computer that would even be affected by this.

Thanks.

____________________________
And I can recall our caravel: a little wicker beetle shell with four fine maste and lateen sails,
its bearings on Cair Paravel. O my love, O it was a funny little thing to be the ones to've seen.
-Joanna Newsom "Bridges and Balloons"

ErikH2000
Level: Legendary Smitemaster

Rank Points: 2794
Registered: 02-04-2003
IP: Logged

Oh, I thought about it a little more and Norton's response actually makes sense. A DoS attack might involve getting a number of zombie processes to request a page known to contain multiple slashes (perhaps manipulated by a hacker earlier to be that way). And then Norton would step in and stop the attack from the client, and possibly identify some unwanted software on your system.

But in this case, we just had a little server-side bug to fix, and your report wouldn't mean you have extra software running on your system.

-Erik

____________________________
The Godkiller - Chapter 1 available now on Steam. It's a DROD-like puzzle adventure game.
dev journals | twitch stream | youtube archive (NSFW)

ErikH2000
Level: Legendary Smitemaster

Rank Points: 2794
Registered: 02-04-2003
IP: Logged

Also, thanks a lot for the detailed report. If you just would have said "Norton isn't letting me view webpages!" this might have taken hours to figure out instead of minutes.

-Erik



____________________________
The Godkiller - Chapter 1 available now on Steam. It's a DROD-like puzzle adventure game.
dev journals | twitch stream | youtube archive (NSFW)

Schik
Level: Legendary Smitemaster

Rank Points: 5383
Registered: 02-04-2003
IP: Logged

ErikH2000 wrote:
maybe next time you're in that PHP you could look into the bug.

Fixed.


____________________________
The greatness of a nation and its moral progress can be judged by the way it treats its animals.
--Mahatma Gandhi