> Here's a simple exploit for Apache httpd version 1.2.x (tested on 1.2.4). > When launched, causes incerases of victim's load average and extreme > slowdowns of disk operations. [...] > Attached program ('beck') is a shell script. It works by sending > excessive http requests with thousands of '/'s inside (parsed from file > 'beck.dat'). Here a simple workaround to temporarily solve the problem: before going any further, this patch scans the URI provided by the client, and returns an error if it contains more than PDM_MAX_SLASHES separators. The default is 30, it should be plenty enough for most situations. In case of an URI being trapped, this patch logs an entry into your error log with URI and address of client. Beware, your log can become really big. As usual, cd to your src directory and patch with patch < apache_patch or proceed by hands. I've tested it with apache 1.2.4 on Linux 2.0.29, Pentium 90 with 32 MB of RAM. It works well with beck, even with multiple attacks. It's by no means a permament solution, I think the Apache guys will have to rewrite something in the URI parsing code. Hey, I'm no Apache guru, this is just a quick hack so... use it at your own risk :-) ---8<---CUT HERE---8<--- *** http_protocol.c.orig Fri Aug 15 19:08:51 1997 --- http_protocol.c Tue Dec 30 17:40:44 1997 *************** *** 643,648 **** --- 643,665 ---- r->method = getword_white(r->pool, &ll); uri = getword_white(r->pool, &ll); uri = check_fulluri(r, uri); + /* PDM */ + { + #define PDM_MAX_SLASHES 30 + int i, count; + char c; + + count = 0; + for(i = 0; ((c = uri[i]) != '\0') && (count < PDM_MAX_SLASHES); i++) + if((uri[i] == '/') || (uri[i] == '\\')) + count++; + if(count >= PDM_MAX_SLASHES) { + log_printf(r->server, "Warning: URI `%s' from %s contains too many directory separators, possible DoS attack?", uri, get_remote_host(r->connection, r->per_dir_config, REMOTE_NAME)); + r->status = HTTP_REQUEST_URI_TOO_LARGE; + return 0; + } + } + /* PDM */ parse_uri (r, uri); r->assbackwards = (ll[0] == '\0'); ---8<---CUT HERE---8<--- Greetings, -- Pancrazio `Ezio' DE MAURO Networking Division Datanord Multimedia E-mail: pdemauroat_private Via Tortona, 31 WWW: http://www.datanord.it/ 20144 Milano - Italy Phone: +39 2 4895 61 - Fax: +39 2 4895 6327 ATTENZIONE: NUOVI NUMERI DI TELEFONO --- NOTICE: NEW TELEPHONE NUMBERS
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:37:53 PDT