Date: Fri, 7 Aug 1998 16:19:58 -0700 (PDT)
From: Marc Slemko <marcs@znep.com>
To: Dag-Erling Coidan =?ISO-8859-1?Q?Sm=F8rgrav?= <finrod@EWOX.ORG>
cc: BUGTRAQ@netspace.org
Subject: Re: YA Apache DoS attack
In-Reply-To: <861zqspvtw.fsf@niobe.ewox.org>
Message-ID: <Pine.GSO.4.00.9808071601040.188-100000@redfish>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=X-UNKNOWN
Content-Transfer-Encoding: QUOTED-PRINTABLE
Sender: new-httpd-owner@apache.org
Precedence: bulk
Reply-To: new-httpd@apache.org

On Fri, 7 Aug 1998, Dag-Erling Coidan [ISO-8859-1] Sm=F8rgrav wrote:

> There seems to be a simple way of badly DoSing any Apache server. It
> involved a massive memory leak in the way it handles incoming request
> headers.=20

No, this is particular to multiple headers with the same name.  I have
verified in the past that several different combintations of long and
large numbers of headers do nothing but blow it up to a size reasonable
for the amount of data received.  There are still possible arguments for
limiting that, but in general attacks like that which are linear in the
bandwidth used aren't too serious or rare.

In this case, however, because the names of the headers are all the same,
they are merged in Apache's tables.  Each time they are merged, a new
string is allocated with the extra header tacked on the end (eg.
User-Agent: sioux --> User-Agent: sioux, sioux) in the standard method of
merging HTTP headers.  The memory usage you are seeing comes from the
summation from 1 to 10000 of the size of the string, which is ~50000000
copies of "sioux, " which is ~350 megs.

Because of Apache's pool based memory structure, the memory isn't freed in
that loop, so it grows.  There isn't actually a memory leak, just a huge
amount of memory use which has obviously negative impacts.

One workaround (that is a good idea in general, anyway) would be to set a
ulimit on memory usage before starting Apache, which can catch such things
easily and quickly.

An official fix will be available when ready.

[...]
> BTW, how can the Apache team be stupid enough not to provide a way of
> submitting problem reports by email? If they did, I'd've sent this to
> them first and given them a week, but they don't and I'm too friggin'
> lazy to use their web interface...

(the below is strictly my personal opinion)

I personally find that attitude pathetic.  You can spend who knows how
long looking at this, adding a copyright notice to your script, writing
this all up, etc. but can't take 2 minutes to fill out a form. =20

The obvious answer as to why we don't have an email address for general
bug reporting is that it takes far too many resources and is silly to
manually enter huge numbers of bug reports into our bug database.  If you
think the Apache Group has the resources to answer everyone who wants to
email anything in the way of a bug report or their configuration problem
to us, you are wrong. =20

It is unfortunate that you decided you don't care about Apache or have any
respect for the people that spend their time on it.  No matter who the
vendor is, it only makes sense to report it to them first.  It is better
for everyone, especially the users.  Full disclosure doesn't mean you
don't tell the vendor, it means that you expect action in a reasonable
amount of time and, when a fix is available the full details of the
problem and impact are made available.

security@apache.org will always work just fine for security issues,
although it isn't as well publicized as it could be.

--=20
     Marc Slemko     | Apache team member
     marcs@znep.com  | marc@apache.org