httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Michael D. Berger" <>
Subject [users@httpd] NTLMSSP attacks
Date Mon, 05 Sep 2005 14:26:29 GMT
On RH-E-WS-4 using Apache 2.0 running a very small
web site, using a virtual host and a cgi that sees
all inputs, but only allows GET.

I have been receiving NTLMSSP attacks as often as
several per hour.  Sniffing with tethereal, and
examining with ethereal, I see:

   GET / HTTP/1.0\r\n
   Host: <is visible>
   Authorization: Negotiate <apparent crypt followed by repeated nonsense>
      NTLMSSP identifter: <a few codes>
      NTLM Message type: Unknown <followed by some codes>
      Unrecognized NTLMSSP Message
      <a large amount of either apparent crypt or repeated nonsense
       in numerous continuation packets>

I respond as for a normal GET.  I would like to:

1. Not respond.
      So far, the only way my cgi can distinguish these from my
      usual traffic is by the absence of both User-Agent and Accept
      headers. I tried several environment variables, but I
      have not been able to see the Authorization header.

      * Should I use the information I have to reject?
      * Is there a better way?

2. Drop the connection before I get the continuation packets.
      I can do this with Netfilter QUEUE, put this requires
      parsing many packets twice: once in Netfilter, and
      once in Apache.

      * Is there a way to detect the first attack packet and
        close the connection in Apache?

Any other suggestions?

Thanks in advance for your help.


Michael D. Berger 

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message