If you're doing shared hosting and you allow your users to run CGIs-- regardless of what CGI it is-- you should have reasonable limits in place that keep child processes in check. Apache has had such directives for doing this for some time, one of them being RLimitNPROC. This directive allows you to limit the number of subprocesses that Apache will run concurrently.
You can even specify subprocess limits on a per-virtual host basis. With Apache 2, you can even limit based on directory. Using RLimitMEM is also a good idea.
Yes, MT's comment system can use some improvement. We're working on that. But these servers are getting hammered; in effect a denial-of-service style attack.
Even a "Hello, world" type script can be hit hard enough to bring down a server, assuming there are no process limits in place. Invoking a modern interpreter to execute a CGI script is no small feat. Perl, Python, Ruby, and even PHP (when run as a CGI as many shared hosting companies do for security reasons) consume enormous amounts of resources at startup regardless of the size or complexity of the script they are summoned to execute.
So, sure, code can be added to MT to recognize and adapt to a flood of comments coming in, but by the time the CGI runs, it's already chewing up CPU and memory. In my opinion, a better defense for these flood-style attacks is for Apache itself (or third-party in-memory Apache modules) to handle such situations.
mod_security, mod_dosevasive and others are excellent defensive tools for any public Apache server admin to use.
I'd love to know what others have done to configure Apache to prevent denial-of-service attacks.
Yahoo isn't putting ad banners as news. One or more of the ads in their advertising banner cycle just happens to look like a column of news links. The one I saw was from 'TechnoScout'.
The ad itself is clearly separated from the legitimate news stories and even has an 'ADVERTISEMENT' caption above it to make it clear that you're looking at an ad.
Hardly newsworthy... I've seen things like this in print media for years now.
What if McAfee or some other software vendor were to prevent the FBI software from doing what it was designed to do? Would that act be considered an obstruction of justice? If so, would the vendors themselves be held liable? It sounds to me like McAfee is just trying to remove themselves from this possibility.
Or perhaps the FBI has already threatened them with this scenario.
Furthermore, considering the recent revelation regarding the recent 'firehole' exploit, this tool could be a real threat, even if you are running personal firewall software. Of course, I doubt anything other than Windows will be targeted...
Slashdot Mirror
This patent seems pretty bound to fingers, so multi-touch toe interfaces are wide open, folks!
Yeah, but Windows was the problem there, too.
If you're doing shared hosting and you allow your users to run CGIs-- regardless of what CGI it is-- you should have reasonable limits in place that keep child processes in check. Apache has had such directives for doing this for some time, one of them being RLimitNPROC. This directive allows you to limit the number of subprocesses that Apache will run concurrently.
You can even specify subprocess limits on a per-virtual host basis. With Apache 2, you can even limit based on directory. Using RLimitMEM is also a good idea.
Yes, MT's comment system can use some improvement. We're working on that. But these servers are getting hammered; in effect a denial-of-service style attack.
Even a "Hello, world" type script can be hit hard enough to bring down a server, assuming there are no process limits in place. Invoking a modern interpreter to execute a CGI script is no small feat. Perl, Python, Ruby, and even PHP (when run as a CGI as many shared hosting companies do for security reasons) consume enormous amounts of resources at startup regardless of the size or complexity of the script they are summoned to execute.
So, sure, code can be added to MT to recognize and adapt to a flood of comments coming in, but by the time the CGI runs, it's already chewing up CPU and memory. In my opinion, a better defense for these flood-style attacks is for Apache itself (or third-party in-memory Apache modules) to handle such situations.
mod_security, mod_dosevasive and others are excellent defensive tools for any public Apache server admin to use.
I'd love to know what others have done to configure Apache to prevent denial-of-service attacks.
may i suggest ... wait for it ... NeXT?
Boy that Google calculator sure is smart:
http://www.google.com/search?q=550%20tons%20in%20e lephants
Returns the aforementioned article as the first hit!
...clearing the path for future versions of Windows.
Has anyone done the calculations to determine where the thing would have landed if it had impacted Earth?
So exactly how do we go about choosing our queen-- election or what? Nominations anyone?
http://www.douglasadams.com/creations/infocomjava. html
Requires java. Minimize window if the boss comes.
And here is the link:
9 91783
http://www.newscientist.com/news/news.jsp?id=ns99
Yahoo isn't putting ad banners as news. One or more of the ads in their advertising banner cycle just happens to look like a column of news links. The one I saw was from 'TechnoScout'.
The ad itself is clearly separated from the legitimate news stories and even has an 'ADVERTISEMENT' caption above it to make it clear that you're looking at an ad.
Hardly newsworthy... I've seen things like this in print media for years now.
What if McAfee or some other software vendor were to prevent the FBI software from doing what it was designed to do? Would that act be considered an obstruction of justice? If so, would the vendors themselves be held liable? It sounds to me like McAfee is just trying to remove themselves from this possibility.
Or perhaps the FBI has already threatened them with this scenario.
Furthermore, considering the recent revelation regarding the recent 'firehole' exploit, this tool could be a real threat, even if you are running personal firewall software. Of course, I doubt anything other than Windows will be targeted...