# HTTP Request Smuggling/Splitting



## knotabot (Jun 20, 2009)

How can you protect your web server/s from these attacks?

Is a there a need to install an IDS?

Are there specific requirements for different web servers?
Or
Are some more prone to this attack than others?

Apache; Lighttpd; Nginx; IIS

Some background on the exploit.
http://www.owasp.org/index.php/Testing_for_HTTP_Exploit


----------



## vivek (Jun 20, 2009)

Use light weight web server such as nginx or lighttpd if possible.

If you need Apache, put it behind light weight server.

Use jails to split up php, apache and other services

Use chroot() provided by lighttpd or mod_chroot for Apache, which lock down server inside jail.

Run freebsd securelevel 3

Limit connection per ip using server config or firewall settings

Tune TCP stack

See the following thread:
http://forums.freebsd.org/showthread.php?t=4108


----------

