You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Marc Slemko <ma...@znep.com> on 1997/12/30 20:49:15 UTC

3 forwarded messages...

FYI, the below messages are what has appeared here on bugtraq and the
attached patch is what Mark Lowes attached to his message. 

---------- Forwarded message ----------
Date: Tue, 30 Dec 1997 06:08:49 -0600
From: Zen <ze...@CRIMELAB.NET>
To: BUGTRAQ@NETSPACE.ORG
Subject: Re: Apache DoS attack?

Zalewski <lc...@POLBOX.COM> wrote:
: Here's a simple exploit for Apache httpd version 1.2.x (tested on
: 1.2.4). When launched, causes incerases of victim's load average and
: extreme slowdowns of disk operations. On my i586 Linux annoying slowdown
: has been experienced immediately (after maybe 5 seconds). After about 4
: minutes work has been turned into real hell (286?).

I just tested this exploit on Apache httpd versions 1.0.x, 1.1.x, 1.2.x,
and 1.3.x (beta). All of the versions seem to be affected in one way or
another, but the 1.0.x and 1.1.x seems to be less effective, since the
load average goes down right after the attack has stopped, unlike 1.2.x
and 1.3.x, which kept going even after the attack has stopped.

--
Zen <ze...@crimelab.net>
Fourth Law of Revision:
        It is usually impractical to worry beforehand about
interferences -- if you have none, someone will make one for you.



---------- Forwarded message ----------
Date: Tue, 30 Dec 1997 11:59:55 GMT
From: Mark Lowes <ma...@ftech.net>
To: BUGTRAQ@NETSPACE.ORG
Subject: Re: Apache DoS attack?

On Tue, 30 Dec 1997 11:07:04 +0100, you wrote:

>[execuse me if it has been discovered before]

First I've heard.

>Here's a simple exploit for Apache httpd version 1.2.x (tested on 1.2.4).
>When launched, causes incerases of victim's load average and extreme
>slowdowns of disk operations. On my i586 Linux annoying slowdown has been
>experienced immediately (after maybe 5 seconds). After about 4 minutes
>work has been turned into real hell (286?).

Ok here's an initial patch, I'm sure someone will come up with something
better and more effcient but it works. :)

        Mark

--
+--------------------------------------------------------------------+
| Frontier Internet Services Ltd - Disclaimer;                       |
|                                                                    |
| All statements made and agreements come to by means of email are   |
| at all times subject to Frontier's Terms and Conditions of service |
| and product descriptions / sales literature. Representations made  |
| above and beyond those contained there in are not to be relied     |
| upon and are at no time contractually binding.                     |
+--------------------------------------------------------------------+



---------- Forwarded message ----------
Date: Tue, 30 Dec 1997 17:34:47 +0100
From: Micha� Zalewski <lc...@POLBOX.COM>
To: BUGTRAQ@NETSPACE.ORG
Subject: Re: Apache DoS attack?

Apache patch by Mark Lowes:

[...]
+ /* Compress multiple '/' characters into one */
+ /* To prevent "GET //////..." attack */
[...]

After a few tests I discovered that Apache first looks for files
[index|homepage].[html|shtml|cgi] (probably it makes over 32000
chdirs :), then dies, throwing 'filename too long' error into logs.
Client gets 'Forbidden' response and disconnects. But httpd child
process still stays in background, wasting large amount of CPU time
and system resources. Note it happends _only_ after this error,
so '//...' sequence must as long as it's possible (about 7 kB).
The PERFECT httpd patch should also fix httpd's cleanup, to make
httpd a little more stable :)

_______________________________________________________________________
Michal Zalewski [tel 9690] | finger 4 PGP [lcamtuf@boss.staszic.waw.pl]
=--------- [ echo "while [ -f \$0 ]; do \$0 &;done" >_;. _ ] ---------=