Jonathan Freeman wrote: > > We just tested the Sioux (Apache DoS) bug on: > > <> IIS 3.0 (Service Pack 3) > > causes immediate jump to 100% CPU for approx. 5 seconds > multiple attacks can keep the CPU in the 90% range > > <> IIS 4.0 (Service Pack 3) > > causes immediate jump to 80% CPU for approx. a half second > multiple attacks DO NOT cause more thank 40% sustained CPU > range > > <> Apache 1.1.1 (Unix) (Caldera OpenLinux) > > causes jump to 66% CPU for each get request and attempts > to use all available swap space for memory. Can be DoS'd > easily. > > <> WebSitePro 2.3.4 (Service Pack 3) > > causes immediate jump to 99% CPU for approx. 5 seconds > unknown if DoS would be possible for multiple attacks Is there any good reason for any of these programs to merge headers internally in the first place? I'm wonder because I am actually working on a webserver and noted that the code wasn't vulnerable because of the way I chose to implement header-handling (which didn't include any header-merging code). I wonder if there are any situations where a client legitimately sends two headers of the same type (in which case I would have to add header-merging code) or is this following conventions for the sake of following conventions (in which case I might feel inclined to stay lazy :-)? Input is welcome. Regards, Pim van Riezen -- "I'm at the corner of Walk and Don't Walk, where shall we meet?" Operations - SaltLake.UT.US.Undernet.Org Channel LART - #linux Undernet Programmer sometimes LART - Microhill Automation Cat5 Monkey - Webcity / Internet Facilities Europe Eerie-eyed Visionair Software Developer - StealthTech Networking
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:12:13 PDT