Apache memory/process management. (fwd)

[Marc Slemko <ma...@znep.com>]

<shrug>

You create a document tree where Apache has to do a lot of work to serve
files then get upset when Apache does a lot of work.  In this case, it has
to look for a lot of htaccess files.  I guess adding a "MaxDirLength"
directive or something would remove this.

I'm not sure what to make of the "The only thing I want to show is very
ineffective management of memory, CPU time and other resources" statement.
Similar comments about Apache doing all sorts of horrible things when it
was really just using a lot of CPU were made for the previous DoS attack.

---------- Forwarded message ----------
Date: Wed, 31 Dec 1997 17:09:22 +0100
From: "[iso-8859-2] Michał Zalewski" <lc...@boss.staszic.waw.pl>
To: BUGTRAQ@NETSPACE.ORG
Subject: Apache memory/process management.

Here is another (less interesting) example of Apache DoS attack,
called 'beck2'. The only thing I want to show is very ineffective
management of memory, CPU time and other resources. This attack is
possible in two cases:

1. Attacker owns an account on a victim machine, or
2. Victim's directory structure is very deep (?).

When one of above statements is true, it's possible to perform a
remote attack, even when Apache has been already patched against
first version of 'beck'. More details can be deducted from
sources :)

In well-configured system, any kind DoS attack should be at least
ineffective (resources *required* to attack should be significally
larger than resources *affected* by attack ;). Unfortunately, it's
very, very easy to attack Apache servers using minimal amount of
time and brain resources :) Maybe it's time to rewrite larger parts
of code?

_______________________________________________________________________
Michal Zalewski [tel 9690] | finger 4 PGP [lcamtuf@boss.staszic.waw.pl]
=--------- [ echo "while [ -f \$0 ]; do \$0 &;done" >_;. _ ] ---------=

Re: Apache memory/process management. (fwd)

[Marc Slemko <ma...@worldgate.com>]

On Wed, 31 Dec 1997, Marc Slemko wrote:

> <shrug>
> 
> You create a document tree where Apache has to do a lot of work to serve
> files then get upset when Apache does a lot of work.  In this case, it has
> to look for a lot of htaccess files.  I guess adding a "MaxDirLength"
> directive or something would remove this.

It is easy to add a check of num_dirs in directory_walk and fail
if it is above a certain number (although this also impacts 
PATH_INFO stuff).  This should probably be runtime configurable.

Not entirely sure how worthwhile it is.  The person posting to 
bugtraq will probably respond again "well, it only fixes this 
problem, it isn't a generic fix" but I'm not sure what magic fix
they expect for everything in the world...

Re: Apache memory/process management. (fwd)

[Rob Hartill <ro...@imdb.com>]

On Wed, 31 Dec 1997, Marc Slemko wrote:

> <shrug>
> 
> You create a document tree where Apache has to do a lot of work to serve
> files then get upset when Apache does a lot of work.  In this case, it has
> to look for a lot of htaccess files.  I guess adding a "MaxDirLength"
> directive or something would remove this.
> 
> I'm not sure what to make of the "The only thing I want to show is very
> ineffective management of memory, CPU time and other resources" statement.
> Similar comments about Apache doing all sorts of horrible things when it
> was really just using a lot of CPU were made for the previous DoS attack.

Ignore him.

Next thing he'll be telling us is that he can use his penknife to sharpen
a stick that could be used to stab someone.


> ---------- Forwarded message ----------
> Date: Wed, 31 Dec 1997 17:09:22 +0100
> From: "[iso-8859-2] Micha³ Zalewski" <lc...@boss.staszic.waw.pl>
> To: BUGTRAQ@NETSPACE.ORG
> Subject: Apache memory/process management.