SECURITY problem - kill requests SECURITY problem - kill requests
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

SECURITY problem - kill requests

Started by punjab, November 15, 2006, 02:44:43 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Print
Go Down Pages1
User actions

punjab

November 15, 2006, 02:44:43 PM
Today i got DOS attack to server.
27 request peer second to login.php in coppermine gallery totally kill my linux server. System load average gets to 60.

I make experiment.
I go with firefox to coppermine login page and in maximum frequency clicking to refresh button in firefox and server get to load 40 in 30 seconds.

This is not normal. I make this on some other php/mysql pages and nothing happend. Server load stay in low values.
CPG is version is 1.4.9 or 1.4.10

Can anybody with linux, apache, mysql server try this?

Joachim Müller

#1
November 15, 2006, 03:55:25 PM
DDoS attacks are not being performed by someone hammering the reload button of his browser while he's on your page - they are script-driven instead. Your experiment doesn't prove anything.
Coppermine has not been developed with protection against DDoS in mind - you should take precautions against DDoS by implementing server-sided counter-measures like mod_evasive, which basically let's you determine a treshold for requests from a single IP per time period. If an IP address requests more than it is allowed to, the requests are being dropped.
Print
Go Up Pages1
User actions