httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Purl Gurl <>
Subject Re: [users@httpd] Re: Bug Versions 1.3.28/29 Fixed In 1.3.31 Or Not?
Date Tue, 18 May 2004 16:05:43 GMT
Robert Andersson wrote:
> Purl Gurl wrote:

> In what way is Apache vulnerable in regards to this? Please do not say that
> your logs filling up is a vulnerability, the only way to prevent that is to
> take your server offline or stop logging. There are people running servers
> generating many gigabytes of logs every day, and they manage it; you can
> too.

I have an idea. Robert, you and I, let's work on a project.

I will send you a copy of the WebDav C executable to load
on your machine. I will preconfigure that executable to
send 30,000 bytes of garbage, once per second, which is
highly typical for WebDav. The program will be configured
to socket connect to Apache dot org, a favorite site.

Incidently, the WebDav program can be programmed to send
any amount of data, even streaming without pause. Whatever
amount of data a server can accept, it can be sent.

Both of us will direct our WebDav programs to Apache dot org
and run those executables non-stop for exactly seven days.

At the end of seven days, between the two of us, we will
have sent 36288000000 bytes of data, that is 36.288 gigabytes.

Apache dot org will not be able to do anything. That garbage
will be logged, they will not be able to block our access.
They are completely defenseless. We are in control of
Apache dot org. We own them.

You suppose Apache dot org might view that event as a 
rather serious problem? Maybe they will consider this
a serious problem when they realize there are thousands
of infected machines pounding away at the same servers,
day in and day out, for months?

Wait! There is more. Have you looked at your port 135
and port 445 logs lately? Hits on those ports because
of Webdav are an average ten times the amount of its
socket http protocol hits.

We average, between http, port 135 and 445, well over
two-thousands hits per day, and this is only from one
infected machine. Use to be several dozen infected
machines pounding away. This has been reduced to a
single machine because of my contacting servers, then
advising them of this problem. Even talked to the
vice-president of Charter Communications, along
with his secretary and three technicians, in a
conference call, to educate them on this problem
coming out of Charter. Broadband WebDav!

Reducing this problem to one infected machine took
four months. New machines could appear anytime.

Dealing with ports 135 and 445 is a snap.

Dealing with port 80 is impossible because of Apache.

So, you and I pound at Apache dot org and several other
rogue machines start pounding away. Well darn, our friends
over at Apache are enjoying petabytes of data.

That is a problem, even for Star Trek petabyte drives.

Just imagine, two script kiddies can take down Apache dot org
with nothing more than a click of a mouse button because of
this inherent bug in Apache server software. Yeah, sure,
they can do the same with other methods. However, WebDav
is available to them everywhere, is easy to load, and
requires only a mouse click. Script kiddie Heaven!

Eventually, script kiddies will realize this.


The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message