durusmail: quixote-users: PROPFIND and other methods
PROPFIND and other methods
2005-09-20
Mike Orr (2 parts)
2005-09-20
David Binger
2005-09-20
Mike Orr
2005-09-20
David Binger
2005-09-21
Mike Orr
2005-09-21
Mike Orr
PROPFIND and other methods
Mike Orr
2005-09-20
On 9/20/05, David Binger  wrote:
>
> On Sep 19, 2005, at 8:16 PM, Mike Orr wrote:
>
> > I found the following in my Quixote access log.
> >
> > 161.55.32.34 - 2005-09-17 10:39:51 483 "PROPFIND /attachments/
> > HTTP/1.1" 200 'Microsoft-WebDAV-MiniRedir/5.1.2600' 0.00sec
> >
> > I found nothing in the RFCs about these methods but these links
> > suggest it's an attack against an IIS server (which I don't have):
> > http://groups.google.com/group/microsoft.public.inetserver.iis/
> > browse_frm/thread/a9ecbf7ba3bd1794/31879151c845e65f?
> > lnk=st&q=propfind&rnum=8#31879151c845e65f
> > http://www.iisfaq.com/default.aspx?View=A489
>
> PROPFIND is a webdav method.  Webdav is described in rfc 2518.
> Maybe this is just a browser trying to mount your server.

But should it be?  If the application is not meant to be WebDAV
friendly, is there any reason not to send an error and force them to
use GET?

> > I'm actually planning to make the logger put the access log in a SQL
> > database.  No reason to screw around with this format if I'm only
> > using it for one purpose.
>
> It will be interesting to see how well that works.
> It seems relatively expensive.

It won't work for huge logs.  The last organization I worked for had
logs that were 1+ GB compressed.  But normalizing the user agent field
(or leaving it out) and using a datetime for the date and an int for
the size should partly offset the overhead.  I've also set an
expiration of one week for images, and that cut the number of requests
significantly.

--
Mike Orr  or
reply