Full Disclosure: Re: DoS in Apache 2.0.52 ?

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Full Disclosure mailing list archives

Re: DoS in Apache 2.0.52 ?

From: Michal Zalewski <lcamtuf () ghettot org>
Date: Mon, 1 Nov 2004 16:38:42 +0100 (CET)

On Mon, 1 Nov 2004, Chintan Trivedi wrote:

GET / HTTP/1.0\n
[space] x 8000\n
[space] x 8000\n
[space] x 8000\n
.
.
8000 times

I created 25 threads (connections) and send the above request to one
webserver.


This is circa 1.5 GB of data (61 MB per connection), at which point you
probably either caused an (improperly configured) server to kill random
processes on OOM, or swapped it to death.

This seems to be a valid DoS, and Apache most certainly should refuse such
an attack (historically, they had several other header parsing flaws).
This attack is probably not particularly efficient, compared to, say, a
good old connection flood, should you have 1.6 GB of bandwidth to spare.

/mz

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

By Date By Thread

Current thread:

DoS in Apache 2.0.52 ? Chintan Trivedi (Nov 01)
- Re: DoS in Apache 2.0.52 ? Mauro Flores (Nov 01)
  - Re: DoS in Apache 2.0.52 ? Chintan Trivedi (Nov 01)
- Re: DoS in Apache 2.0.52 ? Michal Zalewski (Nov 01)
- <Possible follow-ups>
- Re: DoS in Apache 2.0.52 ? Daniel Guido (Nov 17)