Re: Apache DoS attack?

From: Pancrazio DE MAURO (pdemauroat_private)
Date: Tue Dec 30 1997 - 09:10:17 PST

Next message: Marc Slemko: "Re: Apache DoS attack?"

Previous message: Zen: "Re: Apache DoS attack?"
Maybe in reply to: Michał Zalewski: "Apache DoS attack?"
Next in thread: Marc Slemko: "Re: Apache DoS attack?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> Here's a simple exploit for Apache httpd version 1.2.x (tested on 1.2.4).
> When launched, causes incerases of victim's load average and extreme
> slowdowns of disk operations.

[...]

> Attached program ('beck') is a shell script. It works by sending
> excessive http requests with thousands of '/'s inside (parsed from file
> 'beck.dat').

Here a simple workaround to temporarily solve the problem: before going
any further, this patch scans the URI provided by the client, and returns
an error if it contains more than PDM_MAX_SLASHES separators. The default
is 30, it should be plenty enough for most situations.

In case of an URI being trapped, this patch logs an entry into your error
log with URI and address of client. Beware, your log can become really
big.

As usual, cd to your src directory and patch with

        patch < apache_patch

or proceed by hands.

I've tested it with apache 1.2.4 on Linux 2.0.29, Pentium 90 with 32 MB of
RAM. It works well with beck, even with multiple attacks.

It's by no means a permament solution, I think the Apache guys will have
to rewrite something in the URI parsing code.

Hey, I'm no Apache guru, this is just a quick hack so... use it at your
own risk :-)

---8<---CUT HERE---8<---

*** http_protocol.c.orig        Fri Aug 15 19:08:51 1997
--- http_protocol.c     Tue Dec 30 17:40:44 1997
***************
*** 643,648 ****
--- 643,665 ----
      r->method = getword_white(r->pool, &ll);
      uri = getword_white(r->pool, &ll);
      uri = check_fulluri(r, uri);
+     /* PDM */
+     {
+         #define PDM_MAX_SLASHES 30
+         int i, count;
+         char c;
+
+         count = 0;
+         for(i = 0; ((c = uri[i]) != '\0') && (count < PDM_MAX_SLASHES); i++)
+             if((uri[i] == '/') || (uri[i] == '\\'))
+                 count++;
+         if(count >= PDM_MAX_SLASHES) {
+             log_printf(r->server, "Warning: URI `%s' from %s contains too many directory separators, possible DoS attack?", uri, get_remote_host(r->connection, r->per_dir_config, REMOTE_NAME));
+             r->status = HTTP_REQUEST_URI_TOO_LARGE;
+             return 0;
+         }
+     }
+     /* PDM */
      parse_uri (r, uri);

      r->assbackwards = (ll[0] == '\0');

---8<---CUT HERE---8<---

Greetings,
--
Pancrazio `Ezio' DE MAURO       Networking Division
Datanord Multimedia             E-mail: pdemauroat_private
Via Tortona, 31                 WWW: http://www.datanord.it/
20144 Milano - Italy            Phone: +39 2 4895 61 - Fax: +39 2 4895 6327
ATTENZIONE: NUOVI NUMERI DI TELEFONO --- NOTICE: NEW TELEPHONE NUMBERS

Next message: Marc Slemko: "Re: Apache DoS attack?"
Previous message: Zen: "Re: Apache DoS attack?"
Maybe in reply to: Michał Zalewski: "Apache DoS attack?"
Next in thread: Marc Slemko: "Re: Apache DoS attack?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:37:53 PDT