the iis worker proccess when accepting a connection goes ahead and establishes a server side out bound port to talk back to the client
and yes iis will send info out one ip that was sourced on a diffrent - and it will lie about the source.. trust me if you do multi home without BGP and your up stream providers actualy check header info you will see this happen.
my logic isn't flawed - it just how iis behaves - and the whole conversation on this branch is WHY apache is vulnerable and why IIS isn't (or at least not normally)
and as for SSL being bound to an IP your right it doesn't have to be a single ip it can be a range. BUT if you are hosting more than a single SSL site on the same server you must assign each one their own ip(s) instead of using the "any available" option under iis - which limits the number of available address and there for ports for it to source a reply from
the return traffic from IIS is going coming from avaliable Ips':port
if you bind a website in IIS to an ip instead of "any avaliable ip" then the return tcp connection is forced to be sorced from the ip that is also the reciving
if you have it set to "any avaliable ip" and the box has 2 ip's your client may request data on IPA:80 and get a reply from IPB:port
there for your avaliable ports for reply (limiting the max connection's) would be MaxPorts* Available IP's.
give a Host 2 ip's and it has more ports than the attacking client (assuming a single attacker) bind the site to an ip and now the attacker has more ports than the host so it will work (this is going to be a given for SSL sites as they don't support host headers)
well the connection limit for a single host is the number of available ports for outbound traffic (to return data to the client)
by default (from memory here) i want to say IIS is set up to use ~4k ports for outbound - i do know that can be changed to allow ports 1024+ to be used meaning the number of avaliable ports would be ~64.5k
and that is per host ip - and unless you have the site bound to a specific host ip address (instead of using site headers - iis will respond on an alternate ip (if it has one) when another is out of ports (infact i think it round robbins - i can't remember)
Where this could be a problem for iis is with SSL as SSL has to be bound to an IP and the max amount of ports for that IP is going to be less than the number of ports that the client can send from. So yes this type of exploit could cause an outage in IIS - it is much less likely (based on default config) than apache - and is only realistically likely when trying to attack an SSL supporting site. (like they are hard to find)
About the only IIS server that this is going to bring down is the small personal or single server setups used by small biz. any type of clustered hosting or even virtual hosting - the worst case is that someone can block SSL connections to a site (unless the whole server is horridly configured - which we never ever can leave out of the equation - but even then with IIS6+ it would take effort to make your server very vulnerable to this)
unless you are using Session()'s in asp in IIS then one thread in IIS handles multiple connections.
what this is doing is opening a connection (getting a thread to work it) and holding it open (keeping the thread busy) and just keep asking for new ones.
it is very common (always i think) for Apache and allot of web servers to have a max thread's so that the site under heavy traffic doesn't open more connections than it can handle.
where IIS also has a worker thread limit - there is no limit *(you can set one - but not on by default) on how many concurrent connections can be managed by a thread (and new incoming connections are passed to the thread with the lowest current work load - not always the one with less connections)..
if you do what they are doing here i can see IIS behavior would be to slowly pile all these slow - no work connections into one thread and the others would happily go about doing actual work..
where apache would slowly lose access to workable threads as this keeps them busy.
this isn't an exploit on the http or tcp protocol - it is an exploit based on the behavior of the web server based on it's best practices for managing it.
i didn't say it was better - i was just replying to someone saying yes it is real..
if you read my post you would also note that i said i would be interested in one when they can get the equivalent brightness of 1,200 lumen's.. as for my use that is the min that is useable
That's real.. and a completely diffrent peice of tech than this review.
the review here is of a normal old LCD/DLP projector where they have replaced the bulb with an LED - still have the lends and focusing fun.
the ShowWX is a laser based projector that does line scanning (like a CRT) with the lasers and has no focsing lends assymbly because lasers don't defuse there for it is alwasy in focus.
the Laser based ones are what i want to see pick up.. if they could sell me one that has the brightness equivelent of 1200 lumens.. and a 1024x768 res.. even for 4 times the size of the showWX.. i would be willing to pay 1-1.4$ a lumen.
actualy it's people not taking the time to work with exchange..
to be honest there is nothing out there that compares feature wise with exchange - sure exchange has ALOT of issues - but so does everything else.
It isn't hard to talk to exchange and to talk to it in a very usable manner - just MS isn't helpful in posting a lib for people to just import and walk with - but it is fully documented how to talk with exchange - and just take time to implement - so far i've just seen other mail clients say "hey imap works we will just use that for exchange" but you know what? imap doesn't do alot of what exchange can do.
and if you start pointing to other venders products - take a look at client compatibility - other than the vendor's client very few have full feature compatibility.
so many people knock exchange - but in reality it is quite nice if you know how to manage.
due to it's lack of enforcement it wasn't near the same revenue generator as the land line tax that was repealed and refunded the other year..
Although if it was enforced it could easily replace that revenue stream - but again.. difficult to do.. and they can just drop it and everyone things they are getting a break (when nothing changes)
from a clean windows install no.. but there have been instences of it being installed by oem's prior to shipping computers..
but considering that this is a feature that has to be turned on in Opera by the user for it to work - it's no diffrent than having IIS avaliable to install on the box..
and yes considering that most OEM's put the contents of the install disk on the computer it is trivial to script a silent install and config of iis without someone knowing..
something sitting in the back of my head telling me that i would trust Opera to do it FAR more better than Netscape - if not for the reason that when Netscape did it.. no one thought people would be evil with it.. second Opera is by far one of the most secure browsers out there, let alone the fastest (although chrome is giving it a run for it's money on that front).
oh you must not have gotten the memo.. the customer is never out of money.. people these days will just rack up credit card bills to pay for it..
sorry but i find prices today and what people pay for things completely out of control.. expecialy with mmo's and the micro payment ones..
and can someone please explain to me why on earth people pay for text messages? expecialy on devices with a net connection and can easily run IM programs.. many of which now days have sms gateways?
the consumer they are making this for is no one here.. (at least i hope)... they are building this for the people whom have no clue about the game - what happens when AT&T finds it "unprofitable" or what the numbers on their credit card bills mean.
funny thing.. dealing with verison (after they bought MCI).. we dropped our t1 with MCI back in Nov 07.. after they came and removed equipment we continued to get bills.. I just findly resolved all of that about 2 months ago (yes nearly 2 years alter).. just last month i got a bill again.. but this time it wasn't for service..
the bastards had the nerve to bill me for the postage and paper they send the previous bills on - as it was a "fee" that is normally included with service but as we didn't have "service" we had to pay the fee separate.. i enjoyed ripping their phone people a new one
I was diagnosed with Chron's 2 1/2 years ago.. once they figured it out - it made my life make alot of sence.. i had always had pains and was constantly sick but nothing was constant it would come and go - but when it falmed up to the point where i couldn't move due to the pain - that is when they had to figure out what was going on. it took 2 weeks to figure out what it was.. and i was actualy mis diagnosed the first week and was given a "special diet" that caused me so much pain i wanted to kill my self.
do i blame the doctors for that one? no.. the first one was a diagnosis from an ER unit.. they made the best with the info at hand and it all fit.. the second one was with a specialist with more info..
now the fact that this girl had been seeing doctors for years and even got the "clean slides" from her pathologist means he is at fault here.. he should have seen it - and if he missed it then he isn't doing his job.
if a doctor makes a mistake because of a lack of info that is understandable - but when the info is right there and they just overlook it.. that is careless and dangerous..
while i know there are people with psycholigical disorders that make them thing they are constantly sick or have some uncurable or exotic desies.. but in reality.. i was say most people - if they are going to continue to go back and forth to the doctor over any amount of time.. legity have something wrong..
i can answer that.. it was 8 fucking years ago.. in the summer of 2001 before the 9/11 attacks.. since then we haven't been able to get clearance to get on that part of the base.
(i stayed with the same pack/troop through eagle and have been helping with it via OA since then)
by the way the mortar incident in the above post was ~17-18 years ago
I remember when i was in the cub scouts - we got to go on base to the firing range and shoot for a trip.. we all walked around and picked up shell caseings.. to keep - some times we would find a live round and where instructed to give it to the commander - when i came back holding a live mortar round - and asked the comander what it was - I remember his eyes lighting up.. i will never forget that day... we got to watch them explode it at the end of the range.
does this mean all we have to do is package movies and music inside their own little player application to get around this>?
hit this is exactly what happened to fonts - as by law a font face can't be copyrighted - so they came up with the ttf and other methods and make the execution of each fontface displaying program under copyright. when you licence a font you are licencing the right to use the ttf not the font face it's self.
Slashdot Mirror
the iis worker proccess when accepting a connection goes ahead and establishes a server side out bound port to talk back to the client
and yes iis will send info out one ip that was sourced on a diffrent - and it will lie about the source.. trust me if you do multi home without BGP and your up stream providers actualy check header info you will see this happen.
my logic isn't flawed - it just how iis behaves - and the whole conversation on this branch is WHY apache is vulnerable and why IIS isn't (or at least not normally)
and as for SSL being bound to an IP your right it doesn't have to be a single ip it can be a range. BUT if you are hosting more than a single SSL site on the same server you must assign each one their own ip(s) instead of using the "any available" option under iis - which limits the number of available address and there for ports for it to source a reply from
the incoming traffic is always going to IP:80
the return traffic from IIS is going coming from avaliable Ips':port
if you bind a website in IIS to an ip instead of "any avaliable ip" then the return tcp connection is forced to be sorced from the ip that is also the reciving
if you have it set to "any avaliable ip" and the box has 2 ip's your client may request data on IPA:80 and get a reply from IPB:port
there for your avaliable ports for reply (limiting the max connection's) would be MaxPorts* Available IP's.
give a Host 2 ip's and it has more ports than the attacking client (assuming a single attacker) bind the site to an ip and now the attacker has more ports than the host so it will work (this is going to be a given for SSL sites as they don't support host headers)
well the connection limit for a single host is the number of available ports for outbound traffic (to return data to the client)
by default (from memory here) i want to say IIS is set up to use ~4k ports for outbound - i do know that can be changed to allow ports 1024+ to be used meaning the number of avaliable ports would be ~64.5k
and that is per host ip - and unless you have the site bound to a specific host ip address (instead of using site headers - iis will respond on an alternate ip (if it has one) when another is out of ports (infact i think it round robbins - i can't remember)
Where this could be a problem for iis is with SSL as SSL has to be bound to an IP and the max amount of ports for that IP is going to be less than the number of ports that the client can send from. So yes this type of exploit could cause an outage in IIS - it is much less likely (based on default config) than apache - and is only realistically likely when trying to attack an SSL supporting site. (like they are hard to find)
About the only IIS server that this is going to bring down is the small personal or single server setups used by small biz. any type of clustered hosting or even virtual hosting - the worst case is that someone can block SSL connections to a site (unless the whole server is horridly configured - which we never ever can leave out of the equation - but even then with IIS6+ it would take effort to make your server very vulnerable to this)
unless you are using Session()'s in asp in IIS then one thread in IIS handles multiple connections.
what this is doing is opening a connection (getting a thread to work it) and holding it open (keeping the thread busy) and just keep asking for new ones.
it is very common (always i think) for Apache and allot of web servers to have a max thread's so that the site under heavy traffic doesn't open more connections than it can handle.
where IIS also has a worker thread limit - there is no limit *(you can set one - but not on by default) on how many concurrent connections can be managed by a thread (and new incoming connections are passed to the thread with the lowest current work load - not always the one with less connections)..
if you do what they are doing here i can see IIS behavior would be to slowly pile all these slow - no work connections into one thread and the others would happily go about doing actual work..
where apache would slowly lose access to workable threads as this keeps them busy.
this isn't an exploit on the http or tcp protocol - it is an exploit based on the behavior of the web server based on it's best practices for managing it.
i didn't say it was better - i was just replying to someone saying yes it is real..
if you read my post you would also note that i said i would be interested in one when they can get the equivalent brightness of 1,200 lumen's.. as for my use that is the min that is useable
and the all use lends and focusing
again no different in basic workings than replacing the incandescent light source with an LED one.
where as the laser projector the grandparent was asking about is a completely different set of technology for casting an image.
That's real.. and a completely diffrent peice of tech than this review.
the review here is of a normal old LCD/DLP projector where they have replaced the bulb with an LED - still have the lends and focusing fun.
the ShowWX is a laser based projector that does line scanning (like a CRT) with the lasers and has no focsing lends assymbly because lasers don't defuse there for it is alwasy in focus.
the Laser based ones are what i want to see pick up.. if they could sell me one that has the brightness equivelent of 1200 lumens.. and a 1024x768 res.. even for 4 times the size of the showWX.. i would be willing to pay 1-1.4$ a lumen.
actualy it's people not taking the time to work with exchange..
to be honest there is nothing out there that compares feature wise with exchange - sure exchange has ALOT of issues - but so does everything else.
It isn't hard to talk to exchange and to talk to it in a very usable manner - just MS isn't helpful in posting a lib for people to just import and walk with - but it is fully documented how to talk with exchange - and just take time to implement - so far i've just seen other mail clients say "hey imap works we will just use that for exchange" but you know what? imap doesn't do alot of what exchange can do.
and if you start pointing to other venders products - take a look at client compatibility - other than the vendor's client very few have full feature compatibility.
so many people knock exchange - but in reality it is quite nice if you know how to manage.
due to it's lack of enforcement it wasn't near the same revenue generator as the land line tax that was repealed and refunded the other year..
Although if it was enforced it could easily replace that revenue stream - but again.. difficult to do.. and they can just drop it and everyone things they are getting a break (when nothing changes)
it's sad how easy this populous is manipulated.
from a clean windows install no.. but there have been instences of it being installed by oem's prior to shipping computers..
but considering that this is a feature that has to be turned on in Opera by the user for it to work - it's no diffrent than having IIS avaliable to install on the box..
and yes considering that most OEM's put the contents of the install disk on the computer it is trivial to script a silent install and config of iis without someone knowing..
ahh damn.. well guess it will have to use one of the other ~65k ports that work
wait.. there is a "proper" way?
then just tell Joe it will make his porn pages look better
why would it be diffrent then running apache.. or the millions of people with XP and iis installed?
the browser can just allow a simplistic interface for configureation and management to the people whom don't know how to do it other wise
something sitting in the back of my head telling me that i would trust Opera to do it FAR more better than Netscape - if not for the reason that when Netscape did it.. no one thought people would be evil with it.. second Opera is by far one of the most secure browsers out there, let alone the fastest (although chrome is giving it a run for it's money on that front).
oh you must not have gotten the memo.. the customer is never out of money.. people these days will just rack up credit card bills to pay for it..
sorry but i find prices today and what people pay for things completely out of control.. expecialy with mmo's and the micro payment ones..
and can someone please explain to me why on earth people pay for text messages? expecialy on devices with a net connection and can easily run IM programs.. many of which now days have sms gateways?
the consumer they are making this for is no one here.. (at least i hope)... they are building this for the people whom have no clue about the game - what happens when AT&T finds it "unprofitable" or what the numbers on their credit card bills mean.
it would be intresting but remember that cray is now selling GPGPU powered mini super computers.
failure to comply with a buz word does not me it use useless.
you may have an argument on that front with RC5 cracking but not with folding
are you referring to the /. crowd as "society"?
watch out.. you many be spreading false hope
funny thing.. dealing with verison (after they bought MCI).. we dropped our t1 with MCI back in Nov 07.. after they came and removed equipment we continued to get bills.. I just findly resolved all of that about 2 months ago (yes nearly 2 years alter).. just last month i got a bill again.. but this time it wasn't for service..
the bastards had the nerve to bill me for the postage and paper they send the previous bills on - as it was a "fee" that is normally included with service but as we didn't have "service" we had to pay the fee separate.. i enjoyed ripping their phone people a new one
I was diagnosed with Chron's 2 1/2 years ago.. once they figured it out - it made my life make alot of sence.. i had always had pains and was constantly sick but nothing was constant it would come and go - but when it falmed up to the point where i couldn't move due to the pain - that is when they had to figure out what was going on. it took 2 weeks to figure out what it was.. and i was actualy mis diagnosed the first week and was given a "special diet" that caused me so much pain i wanted to kill my self.
do i blame the doctors for that one? no.. the first one was a diagnosis from an ER unit.. they made the best with the info at hand and it all fit.. the second one was with a specialist with more info..
now the fact that this girl had been seeing doctors for years and even got the "clean slides" from her pathologist means he is at fault here.. he should have seen it - and if he missed it then he isn't doing his job.
if a doctor makes a mistake because of a lack of info that is understandable - but when the info is right there and they just overlook it.. that is careless and dangerous..
while i know there are people with psycholigical disorders that make them thing they are constantly sick or have some uncurable or exotic desies.. but in reality.. i was say most people - if they are going to continue to go back and forth to the doctor over any amount of time.. legity have something wrong..
i can answer that.. it was 8 fucking years ago.. in the summer of 2001 before the 9/11 attacks.. since then we haven't been able to get clearance to get on that part of the base.
(i stayed with the same pack/troop through eagle and have been helping with it via OA since then)
by the way the mortar incident in the above post was ~17-18 years ago
I remember when i was in the cub scouts - we got to go on base to the firing range and shoot for a trip.. we all walked around and picked up shell caseings .. to keep - some times we would find a live round and where instructed to give it to the commander - when i came back holding a live mortar round - and asked the comander what it was - I remember his eyes lighting up.. i will never forget that day... we got to watch them explode it at the end of the range.
does this mean all we have to do is package movies and music inside their own little player application to get around this>?
hit this is exactly what happened to fonts - as by law a font face can't be copyrighted - so they came up with the ttf and other methods and make the execution of each fontface displaying program under copyright. when you licence a font you are licencing the right to use the ttf not the font face it's self.
IF it didn't have a clause preventing you from working else where - i would do it.. 5 years of money and health care to go work some place else..