Return-Path: <new-httpd-owner-new-httpd-archive=hyperreal.org@apache.org>
Delivered-To: new-httpd-archive@hyperreal.org
Received: (qmail 6543 invoked by uid 6000); 30 Dec 1997 19:49:57 -0000
Received: (qmail 6437 invoked from network); 30 Dec 1997 19:49:54 -0000
Received: from scanner.worldgate.com (198.161.84.3)
  by taz.hyperreal.org with SMTP; 30 Dec 1997 19:49:54 -0000
Received: from znep.com (uucp@localhost)
	by scanner.worldgate.com (8.8.7/8.8.7) with UUCP id MAA12748
	for new-httpd@apache.org; Tue, 30 Dec 1997 12:49:53 -0700 (MST)
Received: from localhost (marcs@localhost) by alive.znep.com (8.7.5/8.7.3)
 with SMTP id MAA27272 for <new-httpd@apache.org>;
 Tue, 30 Dec 1997 12:49:15 -0700 (MST)
Date: Tue, 30 Dec 1997 12:49:15 -0700 (MST)
From: Marc Slemko <marcs@znep.com>
To: TLOSAP <new-httpd@apache.org>
Subject: 3 forwarded messages...
Message-ID: <Pine.BSF.3.95.971230124750.2417O-200000@alive.znep.com>
MIME-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="0-949513125-883511355=:2417"
Sender: new-httpd-owner@apache.org
Precedence: bulk
Reply-To: new-httpd@apache.org

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.
  Send mail to mime@docserver.cac.washington.edu for more info.

--0-949513125-883511355=:2417
Content-Type: TEXT/PLAIN; charset=US-ASCII
Content-Transfer-Encoding: QUOTED-PRINTABLE

FYI, the below messages are what has appeared here on bugtraq and the
attached patch is what Mark Lowes attached to his message.=20

---------- Forwarded message ----------
Date: Tue, 30 Dec 1997 06:08:49 -0600
From: Zen <zen@CRIMELAB.NET>
To: BUGTRAQ@NETSPACE.ORG
Subject: Re: Apache DoS attack?

Zalewski <lcamtuf@POLBOX.COM> wrote:
: Here's a simple exploit for Apache httpd version 1.2.x (tested on
: 1.2.4). When launched, causes incerases of victim's load average and
: extreme slowdowns of disk operations. On my i586 Linux annoying slowdown
: has been experienced immediately (after maybe 5 seconds). After about 4
: minutes work has been turned into real hell (286?).

I just tested this exploit on Apache httpd versions 1.0.x, 1.1.x, 1.2.x,
and 1.3.x (beta). All of the versions seem to be affected in one way or
another, but the 1.0.x and 1.1.x seems to be less effective, since the
load average goes down right after the attack has stopped, unlike 1.2.x
and 1.3.x, which kept going even after the attack has stopped.

--
Zen <zen@crimelab.net>
Fourth Law of Revision:
        It is usually impractical to worry beforehand about
interferences -- if you have none, someone will make one for you.



---------- Forwarded message ----------
Date: Tue, 30 Dec 1997 11:59:55 GMT
From: Mark Lowes <markl@ftech.net>
To: BUGTRAQ@NETSPACE.ORG
Subject: Re: Apache DoS attack?

On Tue, 30 Dec 1997 11:07:04 +0100, you wrote:

>[execuse me if it has been discovered before]

First I've heard.

>Here's a simple exploit for Apache httpd version 1.2.x (tested on 1.2.4).
>When launched, causes incerases of victim's load average and extreme
>slowdowns of disk operations. On my i586 Linux annoying slowdown has been
>experienced immediately (after maybe 5 seconds). After about 4 minutes
>work has been turned into real hell (286?).

Ok here's an initial patch, I'm sure someone will come up with something
better and more effcient but it works. :)

        Mark

--
+--------------------------------------------------------------------+
| Frontier Internet Services Ltd - Disclaimer;                       |
|                                                                    |
| All statements made and agreements come to by means of email are   |
| at all times subject to Frontier's Terms and Conditions of service |
| and product descriptions / sales literature. Representations made  |
| above and beyond those contained there in are not to be relied     |
| upon and are at no time contractually binding.                     |
+--------------------------------------------------------------------+



---------- Forwarded message ----------
Date: Tue, 30 Dec 1997 17:34:47 +0100
From: Micha=B3 Zalewski <lcamtuf@POLBOX.COM>
To: BUGTRAQ@NETSPACE.ORG
Subject: Re: Apache DoS attack?

Apache patch by Mark Lowes:

[...]
+ /* Compress multiple '/' characters into one */
+ /* To prevent "GET //////..." attack */
[...]

After a few tests I discovered that Apache first looks for files
[index|homepage].[html|shtml|cgi] (probably it makes over 32000
chdirs :), then dies, throwing 'filename too long' error into logs.
Client gets 'Forbidden' response and disconnects. But httpd child
process still stays in background, wasting large amount of CPU time
and system resources. Note it happends _only_ after this error,
so '//...' sequence must as long as it's possible (about 7 kB).
The PERFECT httpd patch should also fix httpd's cleanup, to make
httpd a little more stable :)

_______________________________________________________________________
Michal Zalewski [tel 9690] | finger 4 PGP [lcamtuf@boss.staszic.waw.pl]
=3D--------- [ echo "while [ -f \$0 ]; do \$0 &;done" >_;. _ ] ---------=3D


--0-949513125-883511355=:2417
Content-Type: TEXT/PLAIN; charset=US-ASCII; name="beck.patch"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.BSF.3.95.971230124915.2417P@alive.znep.com>
Content-Description: 

LS0tIC91c3Ivc3JjL2FwYWNoZV8xLjIuNC9zcmMvaHR0cF9wcm90b2NvbC5j
CUZyaSBBdWcgMTUgMTc6MDg6NTEgMTk5Nw0KKysrIC91c3Ivc3JjL2FwYWNo
ZV8xLjIuNC5wYXRjaC9zcmMvaHR0cF9wcm90b2NvbC5jCVR1ZSBEZWMgMzAg
MTE6NTQ6MzcgMTk5Nw0KQEAgLTUxMCw2ICs1MTAsMTEgQEANCiAgICAgaW50
IGxvb3A7DQogI2VuZGlmDQogDQorLyogLS0gbmVlZGVkIGZvciBGcm9udGll
ciBwYXRjaCAtLSAqLw0KKyAgICBpbnQgRnRlY2hfbG9vcDsNCisgICAgaW50
IEZ0ZWNoX2NvdW50Ow0KKy8qIC0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0gKi8NCisNCiAvKiBBIHByb3h5IHJlcXVlc3QgY29udGFpbnMgYSAn
OicgZWFybHkgb24sIGJ1dCBub3QgYXMgZmlyc3QgY2hhcmFjdGVyICovDQog
ICAgIGZvciAocz11cmk7IHMgIT0gJ1wwJzsgcysrKQ0KIAlpZiAoIWlzYWxu
dW0oKnMpICYmICpzICE9ICcrJyAmJiAqcyAhPSAnLScgJiYgKnMgIT0gJy4n
KSBicmVhazsNCkBAIC01NDEsNiArNTQ2LDMwIEBADQogICAgIC8qIEZpeCBP
Uy8yIEhQRlMgZmlsZW5hbWUgY2FzZSBwcm9ibGVtLiAqLw0KICAgICByLT51
cmkgPSBzdHJsd3Ioci0+dXJpKTsNCiAjZW5kaWYNCisNCisvKg0KKyAqIEZy
b250aWVyIHBhdGNoIHRvIGZpeCBidWd0cmFxIHJlcG9ydGVkIGV4cGxvaXQN
CisgKi8NCisNCisgICBGdGVjaF9jb3VudD0wOw0KKyAgIGZvciAoRnRlY2hf
bG9vcCA9IDA7IEZ0ZWNoX2xvb3AgPD0gc3RybGVuKHItPnVyaSk7ICsrRnRl
Y2hfbG9vcCkgew0KKyAgICAgICBpZiAoci0+dXJpW0Z0ZWNoX2xvb3BdID09
ICcvJykNCisJICAJeyANCisJCUZ0ZWNoX2NvdW50Kys7IA0KKwkJfQ0KKwll
bHNlDQorCSAgew0KKwkgIEZ0ZWNoX2NvdW50PTA7DQorCSAgfQ0KKwlpZigg
RnRlY2hfY291bnQgPj0gNiApDQorCSAgeyANCisJICByLT51cmlbMF09Jy8n
Ow0KKwkgIHItPnVyaVsxXT0nXDAnOw0KKwkgIGJyZWFrOw0KKwkgIH0NCisg
ICB9Ow0KKw0KKy8qIC0tLSBlbmQgcGF0Y2ggLS0tICovDQogDQogCWlmICgq
dXJpKSByLT5hcmdzPSBwc3RyZHVwKHItPnBvb2wsIHVyaSk7DQogCWVsc2Ug
ci0+YXJncyA9IE5VTEw7DQo=
--0-949513125-883511355=:2417--