Forum OpenACS Q&A: Re: Security: cgi-bin/cachemgr.cgi A*4096 attack?

Collapse
Posted by russell muetzelfeldt on
The client IP address in my AOLserver access log is owned by UUNET. Am I correct in assuming that the attack really did originate from that address, that the client IP wasn't forged or anything like that?
odds are it is, but nslog (in AOLserver 4 at least) transparently replaces the remote host address with the content of an X-Forwarded-For: header if one exists... I suppose this is meant to be a good thing if you run nsd behind an accelerator like squid or pound, but it also allows an attacker to spoof their address to you and (if you're not behind an accelerator) can fill up your logs with potentially meaningless client addresses... personally I fix nslog to not do that on all my live servers...