httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Florian Weimer <fwei...@bfk.de>
Subject Re: Mitigation Range header
Date Wed, 24 Aug 2011 13:08:26 GMT
* Dirk-WIllem van Gulik:

> On 24 Aug 2011, at 13:43, Florian Weimer wrote:
>
>> * Dirk-WIllem van Gulik:
>> 
>>> Hmm - when I remove mod_deflate (i.e. explicitly as it is the default
>>> in all our installs) and test on a / entry which is a static file
>>> which is large (100k)* - then I cannot get apache on its knees on a
>>> freebsd machine - saturating the 1Gbit connection it has (Note: the
>>> attack machines *are* getting saturated).  The moment i put in
>>> mod_deflate, mod_external filter, etc - it is much easier to get
>>> deplete enough resources to notice.
>> 
>> Oh.  Have you checked memory usage on the server?
>
> I had not - and you are right - quite high. I also tried it on a
> Ubuntu machine - and that one dies right out of the gate - regardless
> as to wether deflate is on- or off.

It seems that this reflects different approaches to memory
overcommitment.  I didn't see any crashes with vm.overcommit_memory=2 on
Linux, either.  I wouldn't mention this in the advisory, though, because
even if no critical process is terminated due to the out-of-memory
condition, thrashing could still push the system beyond the point of
recovery.

Including the increased memory usage in the adviosry, as a potential
attack indicator, would make sense, IMHO.

-- 
Florian Weimer                <fweimer@bfk.de>
BFK edv-consulting GmbH       http://www.bfk.de/
Kriegsstra├če 100              tel: +49-721-96201-1
D-76133 Karlsruhe             fax: +49-721-96201-99

Mime
View raw message