httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ben Laurie <...@algroup.co.uk>
Subject Re: YA Apache DoS attack
Date Fri, 07 Aug 1998 23:04:21 GMT
Dag-Erling Coidan Smørgrav wrote:
> I know that there are many trivial ways of overloading a web server
> (e.g. opening tons of connection to eat up file descriptors and
> process slots), but this one seemed a little extreme, to say the
> least.

This is O(n^2) and therefore a Bad Thing(tm), that I will agree with.

> Please note that I've only tested this on Apache 1.2.5 and 1.2.6, not
> on 1.3.1. However, there is no mention of this bug in the change log
> for 1.3.1, so I'll assume it's vulnerable.
> 
> BTW, how can the Apache team be stupid enough not to provide a way of
> submitting problem reports by email? If they did, I'd've sent this to
> them first and given them a week, but they don't and I'm too friggin'
> lazy to use their web interface...

security@apache.org

> Here's the 'sploit for the script kiddies. It should compile cleanly
> and work on most Unices. These are the ones I've tested it on:

And here's a band-aid for 1.3.1 - I'm sure we'll come up with something better
soon. This (untested) patch should prevent the worst effects. A similar patch
should work for 1.2.x.

Index: http_protocol.c
===================================================================
RCS file: /export/home/cvs/apache-1.3/src/main/http_protocol.c,v
retrieving revision 1.229
diff -u -r1.229 http_protocol.c
--- http_protocol.c     1998/08/06 17:30:30     1.229
+++ http_protocol.c     1998/08/07 23:02:56
@@ -714,6 +714,7 @@
     int len;
     char *value;
     char field[MAX_STRING_LEN];
+    int nheaders=0;
 
     /*
      * Read header lines until we get the empty separator line, a read error,
@@ -723,6 +724,11 @@
         char *copy = ap_palloc(r->pool, len + 1);
         memcpy(copy, field, len + 1);
 
+        if(++nheaders == 100) {
+           r->status = HTTP_BAD_REQUEST;
+           return;
+       }
+           
         if (!(value = strchr(copy, ':'))) {     /* Find the colon separator */
             r->status = HTTP_BAD_REQUEST;       /* or abort the bad request */
             return;

Cheers,

Ben.

-- 
Ben Laurie            |Phone: +44 (181) 735 0686| Apache Group member
Freelance Consultant  |Fax:   +44 (181) 735 0689|http://www.apache.org/
and Technical Director|Email: ben@algroup.co.uk |
A.L. Digital Ltd,     |Apache-SSL author     http://www.apache-ssl.org/
London, England.      |"Apache: TDG" http://www.ora.com/catalog/apache/

WE'RE RECRUITING! http://www.aldigital.co.uk/recruit/

Mime
View raw message