You are viewing a plain text version of this content. The canonical link for it is here.
Posted to apache-bugdb@apache.org by Robert Gash <ga...@gashalot.com> on 1997/12/30 17:46:41 UTC

general/1608: Sending loads of /'s in a request can eventually bring system to crawl.

>Number:         1608
>Category:       general
>Synopsis:       Sending loads of /'s in a request can eventually bring system to crawl.
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    apache
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Tue Dec 30 08:50:01 PST 1997
>Last-Modified:
>Originator:     gashalot@gashalot.com
>Organization:
apache
>Release:        1.2.x (1.2.4 has hole)
>Environment:
This happens for all of the Apaches 1.2.0 or later, 
tested on Linux 2.0.33, iE86, GCC 2.7.2. (Cyrix 6x86L PR166+ Linux system, 16mb
EDO RAM, 4.7GB EIDE Western Digital Harddrive).  Personally tested on 1.2.0,
rumored to work on all Apache's to 1.2.4.  No problem has been seen or attempted
to be fixed.
>Description:
If you use a program posted to bugtraq today, you can effectivley bring a box to
it's knees using the program.  This program sends repeated requests with lots of
/'s.  This isn't a real bug in Apache, but it takes a few seconds to have it think
about the problem.  If these requests are sent in a loop, the box will gradually
slow down and come to almost a stop.  Below is some system stats for my machine
about 15 seconds after I stopped the attack.

  PID USER     PRI  NI SIZE  RES SHRD STAT %CPU %MEM  TIME COMMAND
  206 www       17   0 1212  600  388 R    21.4  4.0  0:04 /usr/local/etc/httpd
   65 www       16   0 1264  692  404 R    21.2  4.7  0:11 /usr/local/etc/httpd
  197 www       17   0 1236  616  380 R    21.1  4.1  0:05 /usr/local/etc/httpd

11:54am  up 52 min,  2 users,  load average: 2.27, 0.95, 0.34
Linux gashalot 2.0.33 #1 Mon Dec 29 16:56:27 EST 1997 iE86
Tue Dec 30 11:54:28 EST 1997
>How-To-Repeat:
View the bugtraq article and use his program.  You may download the files to
create the crash at www.gashalot.com/beck.zip , this way you can download it
yourself (it is private, since I don't think that anyone else should have this
bug.
>Fix:
Patch in something looking for more than 3 /'s in a row.  If a user is typning
3 /'s in a row, simply spit back a message telling him to take out some of the
/'s.  Never are 3 /'s in a row justified, or needed.  This way the server just 
appears to have heavy traffic when attacked
>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, ]
[you need to include <ap...@Apache.Org> in the Cc line ]
[and leave the subject line UNCHANGED.  This is not done]
[automatically because of the potential for mail loops. ]