I have gotten a certain amount of response to my posting about the Apache DoS attack. Rather than follow up to each in particular, I'll summarize my replies here. Several of you have pointed out that the Apache team *does* have an email address for reporting security vulnerabilities. I'm very glad to hear that; if I ever find a bug in Apache again, I'll report it to that address and give them a week. Yesterday however, I was slightly under the shock of the discovery, and slightly pissed at not being able to find such an address anywhere. I apologize for letting this cloud my judgement and not giving the Apache team a chance to fix this before it hit the lists. Others have pointed out that setting appropriate resource limits for the server will solve the problem. My reaction to that is that it does not solve anything; it merely circumvents a nasty bug by causing the server to die when the bug manifests itself. It does not change the fact that Apache has a memory consumption curve which is roughly a polynomial function of the size of its input. To those of you who wrote along the lines of "I'll have to shut down my server until a fix comes out", that should not be necessary. Although not a good permanent solution, resource limits will allow your server to get through this relatively unscathed until a fix comes out. If you get hit badly by the kiddies, reduce MaxRequestsPerChild to a low single-digit number; this will prevent bloated httpd processes from hanging around too long. Those of you who tried the exploit and experienced server SIGSEGVs or "Broken Pipe" error messages from the exploit already have resource limits in place. To the Apache team: sorry for springing this on you without warning. Despite nasty bugs like this, you generally do a very good job of writing a nice web server. Keep up the good work. DES -- Dag-Erling Smørgrav - dag-erliat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:11:53 PDT