httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 50870] New: Content-Lenght specified in a GET request makes the listener to wait until the timeout.
Date Fri, 04 Mar 2011 12:25:57 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=50870

           Summary: Content-Lenght specified in a GET request makes the
                    listener to wait until the timeout.
           Product: Apache httpd-2
           Version: 2.2.17
          Platform: Sun
        OS/Version: Solaris
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Core
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: enrico.fusi@gmail.com


It seems possible to make the apache child to wait until the timeout if the
Content-Lenght is specified inside a GET request. I perfectly know that the
RFC2616 is not explicitely forbidding to provide a content-lenght to the GET
request. The problem is a GET request with a content-lenght just takes some
dozens of bytes, and then this makes that easy to produce DDOS. 

This makes possible , expecially in the prefork configuration, to easily make
all the childs busy in a server with some KB/s of bandwidth.

This happens even forbidding to have a Content-Lenght in the GET request with a
rewriterules, or to setting mod_security to block this: the listener stays busy
until the timeout expires.

This is an example with 90 secs of timeout. To reproduce it is easy.


time curl -v someserver:80  -H'Content-Length: 59'
* About to connect() to localhost port 13091
*   Trying 127.0.0.1... connected
* Connected to localhost (127.0.0.1) port 13091
> GET / HTTP/1.1
> User-Agent: curl/7.15.3 (sparc-sun-solaris2.9) libcurl/7.15.3 OpenSSL/0.9.8a zlib/1.2.3
> Host: someserver:80
> Accept: */*
> Content-Length: 59
>
< HTTP/1.1 403 Forbidden
< Date: Fri, 04 Mar 2011 11:51:26 GMT
< Content-Length: 202
< Connection: close
< Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /
on this server.</p>
</body></html>
* Closing connection #0

real    1m30.862s
user    0m0.028s
sys     0m0.032s

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message