httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <>
Subject Fwd: Apache DSO bug caused DoS
Date Fri, 25 Apr 2003 20:59:07 GMT

  thank you for your report.  This is just a confirmation that we have
forwarded the incident to our security team, for



>From: "jez humble" <>
>Date: Fri, 25 Apr 2003 08:54:14 +0000
>Subject: Apache DSO bug caused DoS
>We've been having a problem on our server which I think is due to this bug:
>A host was repeatedly trying to CONNECT to our host in an attempt to relay spam, and was
getting back a copy of our homepage (and the response 200 OK) every time they did so. This
rapidly maxed out our database and caused a denial of service.
>Once I'd inserted the following line into httpd.conf
><Location />
>  <Limit CONNECT>
>    Order deny,allow
>    Deny from all
>  </Limit>
>the problem was resolved (apache now returns code 403). However since this type of attack
seems extremely common, I think this could be a very serious problem.
>Jez Humble.
>Now with POP3/SMTP access for only US$14.95/yr
>Powered by Outblaze
>To unsubscribe, e-mail:
>For additional commands, e-mail:

View raw message