Why a “503: Slow Down” response from Amazon S3 can actually be good for you!
The official AWS S3 docs on Request Rate and Performance Considerations for S3 clearly state, Amazon S3 scales to support very high request rates.
Sometimes this doesn’t appear to be the case in practise given you start pushing your request rates to the bucket and around the 700 requests per second mark you suddenly get hit with these slow down responses.
This is actually a good thing!
Another short one but to get to grips with Tornado (the asynchronous web server) there is a great explaination at:
Understanding the code inside Tornado, the asynchronous web server
You can find Tornado on github, here
An extract straight from ISC2’s CSSLP Overview but always useful to consider. The rest of the CSSLP brochure can be found here (pdf).
||What is it?
||Insecure Code Examples
||How to Fix It
||Code that makes injection attacks possible by allowing user supplied input to be executed as code.
||No input validation,
Dynamic construction of queries
||Non-Repudiation Mechanisms not Present
||Authenticity of code origin and actions are disputable.
Auditing not present
||Code that makes spoofing attacks possible.
||Predictable session identifiers, hard-coded passwords, caching credentials and allowing identify impersonation
||Session, Cache and Password Management,
Managing identify impersonation
||Exceptions and Errors not Properly Handled
||Code that reveals verbose error messages and exception details, or fails-open in the event of a failure.
|Non-verbose error messages,
Explicit exception handling (Try-Catch-Finally blocks),
||Cryptographically Weak Code
||Code that uses non-standard, weak or custom cryptographic algorithms and manages keys insecurely.
||Key not derived and managed securely
||Do no use weak, non-standard, algorithms, custom cryptography,
Use RNG/PRNG for key derivation
||Unsafe/Unused Functions and Routines in Code
||Code that increases attach surface by using unsafe routines or containing unused routines.
||Banned API functions,
|Do no use banned APIs, unsafe functions, Input validation, remove unused routines and Easter Eggs
||Code that allows for determination of internal architecture or design.
|Code obfuscation (shrouding),
Digitally signing code
||Elevated Privileges Required to Run
||Code that violates the principle of least privilege.
||Environment configuration, Code set explicitly to run with least privilege
A short and simple update that if you’re looking to get to grips with Fuse development using C++ a great starting point is:
My latest exploits have involved writing an apache module so let’s look at a basic getting started guide for developing apache modules.
This assumes running on a RHEL platform with httpd-dev installed.
Apache modules can both process requests and output information, the following basic example outputs an extra header in response to any requests and outputs the text Hello World onto the page. Continue reading