[BUG]UU is Brute Force Attack (AKA 403 Forbidden)?

Support and feedback for UniUploader
UniUploader requires microsoft .net runtimes!

[BUG]UU is Brute Force Attack (AKA 403 Forbidden)?

Postby Jabouty » Sat Aug 18, 2007 11:02 pm

Alright, so I've been fighting my host for well into three months on the use of the UU. What's been going on is that about halfway, maybe more, through the synchronize process with UA the server freaks out and stops all access. I say I've been fighting with her, but truthfully my host is one of the most understanding people I know. With her help we've figured out the issue with the random 403 for the UU.

What is happening is that Apache is seeing the supafly fast data transfer for the multiple calls that UU does one after the other after the other without a pause. When Apache sees this that specific IP gets blocked for a little bit. This is because UU is acting EXACTLY like a standard Brute Force script would. Sending and pulling data faster than a human could with a browser, in essence, trying to overload the server.

This is a bad thing.

My host is understanding, but there are some that are not, and without some sort of throttling mechanism built into UU, I can see people getting yelled at once their server host figures it out (It may take awhile as I found, but eventually they'll figure it out too).

That said, is there a way to throttle the Push/Pull transfer of UU so that there's a, say 5-10 second, pause in between each command sent to UA? This little pause should be enough to have apache not go apeshit on us.

A little backup for show:

Top Process %CPU 26.0 /usr/bin/php update.php
It's eating server resources due to the non throttling and Apache going on the warpath.

In addition, the use, due to the software and the way it is coded, is simulating a brute force attack on apache. We have had to completely remove our Apache Brute Force Evasive security system on that server in order to get rid of those errors - this is something I am absolutely unhappy about doing as you are the only domain with this issue with that security.
She disabled modevasive for me to test both UU and UA to determine if it is, in fact, UU that is doing it, and yes, Apache goes on the warpath whenever UU hollers to talk to the server's UA installation.

She then let me know in no uncertain terms that if a real brute force attack happens while she has disabled modevasive for me, she's gonna have a big case of the ass for me :D. I can understand her reasons though.

Some sort of thottling mechanism should be in place to avoid this. Please advise.
Last edited by Jabouty on Sat Aug 18, 2007 11:03 pm, edited 1 time in total.
Image
User avatar
Jabouty
WR.net Apprentice
WR.net Apprentice
 
Posts: 60
Joined: Thu Dec 28, 2006 6:22 pm

[BUG]UU is Brute Force Attack (AKA 403 Forbidden)?

Postby MattM » Sun Aug 19, 2007 12:15 am

What POST variables are being transmitted to the server by UU before, during, and after the apache module blocks your ip

by the way I try to make UU as conformant to HTTP 1.1 as possible, and RFC 2616 has no such "delay" imposed on the interval between posts.

Common Sense:

When installing custom modules for Apache, you run the risk of Apache displaying unexpected or unwanted behavior!
Last edited by MattM on Sun Aug 19, 2007 12:26 am, edited 2 times in total.
MattM
UA/UU Developer
UA/UU Developer
Gimpy Developer
Gimpy Developer
 
Posts: 886
Joined: Tue Jul 04, 2006 9:53 pm
Location: USA

[BUG]UU is Brute Force Attack (AKA 403 Forbidden)?

Postby Jabouty » Thu Aug 23, 2007 4:59 am

MattM wrote:What POST variables are being transmitted to the server by UU before, during, and after the apache module blocks your ip

by the way I try to make UU as conformant to HTTP 1.1 as possible, and RFC 2616 has no such "delay" imposed on the interval between posts.

Common Sense:

When installing custom modules for Apache, you run the risk of Apache displaying unexpected or unwanted behavior!
LOL I don't run the server, I just pay for it and beat it up and drive my host insane with untested code (my php code that is):D

It runs fine for me up to the deleteaddons command. For others it halts at the update addons command.

Code: Select all
[2007/08/22 16:22:47] Retrieving XML data.
[2007/08/22 16:22:47]
[2007/08/22 16:22:47] RetrData: url: http://www.astralorder.com/uniadmin/interface.php
[2007/08/22 16:22:47] RetrData: param1: OPERATION
[2007/08/22 16:22:47] RetrData: val1: GETDELETEADDONS
[2007/08/22 16:22:47] RetrData: Timeout: -1
[2007/08/22 16:22:47] RetrData: ------------------------------------------------------------------------
[2007/08/22 16:22:48] <?xml version="1.0"?>
[2007/08/22 16:22:48]  <addons>
[2007/08/22 16:22:48]   <addon dirname="DuckieBank" />
[2007/08/22 16:22:48]   <addon dirname="DuckNet" />
[2007/08/22 16:22:48]   <addon dirname="CT_RaidAssist" />
[2007/08/22 16:22:48]   <addon dirname="KLHThreatMeter" />
[2007/08/22 16:22:48]  </addons>
[2007/08/22 16:22:48]
[2007/08/22 16:22:48]
[2007/08/22 16:22:48] RetrData: ------------------------------------------------------------------------
[2007/08/22 16:22:48]
[2007/08/22 16:22:48] Beginning the XML document parsing
[2007/08/22 16:22:48] UpdateAddons: Root element is missing
Unfortunately I do not have access to the error logs at this time, so this is the best I can provide you with :'(
Last edited by Jabouty on Thu Aug 23, 2007 5:00 am, edited 1 time in total.
Image
User avatar
Jabouty
WR.net Apprentice
WR.net Apprentice
 
Posts: 60
Joined: Thu Dec 28, 2006 6:22 pm

[BUG]UU is Brute Force Attack (AKA 403 Forbidden)?

Postby MattM » Thu Aug 23, 2007 10:12 am

right now UU is multithreaded and has no queue for the HTTP traffic it generates, thus no control over the time between requests or "shock absorption"

I think there's more to this problem than that though. If I could see a snip of the apache log that would be great.
MattM
UA/UU Developer
UA/UU Developer
Gimpy Developer
Gimpy Developer
 
Posts: 886
Joined: Tue Jul 04, 2006 9:53 pm
Location: USA

[BUG]UU is Brute Force Attack (AKA 403 Forbidden)?

Postby Jabouty » Sat Aug 25, 2007 5:26 am

I'll see what I can get from me host and post back :D
Image
User avatar
Jabouty
WR.net Apprentice
WR.net Apprentice
 
Posts: 60
Joined: Thu Dec 28, 2006 6:22 pm

Re: [BUG]UU is Brute Force Attack (AKA 403 Forbidden)?

Postby ds » Sat Aug 25, 2007 6:46 am

Perhaps a better approach to this rather then shutting off the module all together is to configure it. Your host can do this globally or you can add a .htaccess to the directory in question.

For example:
Code: Select all
<IfModule mod_evasive20.c>
    DOSHashTableSize    3097
    DOSPageCount        4
    DOSSiteCount        50
    DOSPageInterval     1
    DOSSiteInterval     1
    DOSBlockingPeriod   10
</IfModule>
Image
ds
Roster AddOn Dev
Roster AddOn Dev
 
Posts: 297
Joined: Sat Jul 08, 2006 9:58 am

[BUG]UU is Brute Force Attack (AKA 403 Forbidden)?

Postby Anaxent » Sat Aug 25, 2007 7:32 am

hmm good idea DS, as the rules were put on the server for a reason it is best to leave them on but being able to configure it is great.
User avatar
Anaxent
WoWRoster.net Dev Team
WoWRoster.net Dev Team
 
Posts: 642
Joined: Tue Jul 04, 2006 6:27 am
Location: Phoenix, Az


Return to UniUploader

Who is online

Users browsing this forum: No registered users and 0 guests

cron