On Fri, 7 Aug 1998, Dag-Erling Coidan [ISO-8859-1] Smørgrav wrote: > There seems to be a simple way of badly DoSing any Apache server. It > involved a massive memory leak in the way it handles incoming request > headers. No, this is particular to multiple headers with the same name. I have verified in the past that several different combintations of long and large numbers of headers do nothing but blow it up to a size reasonable for the amount of data received. There are still possible arguments for limiting that, but in general attacks like that which are linear in the bandwidth used aren't too serious or rare. In this case, however, because the names of the headers are all the same, they are merged in Apache's tables. Each time they are merged, a new string is allocated with the extra header tacked on the end (eg. User-Agent: sioux --> User-Agent: sioux, sioux) in the standard method of merging HTTP headers. The memory usage you are seeing comes from the summation from 1 to 10000 of the size of the string, which is ~50000000 copies of "sioux, " which is ~350 megs. Because of Apache's pool based memory structure, the memory isn't freed in that loop, so it grows. There isn't actually a memory leak, just a huge amount of memory use which has obviously negative impacts. One workaround (that is a good idea in general, anyway) would be to set a ulimit on memory usage before starting Apache, which can catch such things easily and quickly. An official fix will be available when ready. [...] > BTW, how can the Apache team be stupid enough not to provide a way of > submitting problem reports by email? If they did, I'd've sent this to > them first and given them a week, but they don't and I'm too friggin' > lazy to use their web interface... (the below is strictly my personal opinion) I personally find that attitude pathetic. You can spend who knows how long looking at this, adding a copyright notice to your script, writing this all up, etc. but can't take 2 minutes to fill out a form. The obvious answer as to why we don't have an email address for general bug reporting is that it takes far too many resources and is silly to manually enter huge numbers of bug reports into our bug database. If you think the Apache Group has the resources to answer everyone who wants to email anything in the way of a bug report or their configuration problem to us, you are wrong. It is unfortunate that you decided you don't care about Apache or have any respect for the people that spend their time on it. No matter who the vendor is, it only makes sense to report it to them first. It is better for everyone, especially the users. Full disclosure doesn't mean you don't tell the vendor, it means that you expect action in a reasonable amount of time and, when a fix is available the full details of the problem and impact are made available. securityat_private will always work just fine for security issues, although it isn't as well publicized as it could be. -- Marc Slemko | Apache team member marcsat_private | marcat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:11:50 PDT