Apache 'beck1' DoS


From lcamtuf@POLBOX.COM Tue Jan  6 20:55:07 1998
From: "[UNKNOWN-8BIT] Michał Zalewski" 
To: BUGTRAQ@NETSPACE.ORG
Date: Tue, 30 Dec 1997 11:07:04 +0100
Subject: Apache DoS attack?

Here's a simple exploit for Apache httpd version 1.2.x (tested on 1.2.4).
When launched, causes incerases of victim's load average and extreme
slowdowns of disk operations. On my i586 Linux annoying slowdown has been
experienced immediately (after maybe 5 seconds). After about 4 minutes
work has been turned into real hell (286?).

Attached program ('beck') is a shell script. It works by sending
excessive http requests with thousands of '/'s inside (parsed from file
'beck.dat'). Single request causes just a little longer thinking of
Apache. But when requests are sent from a loop - huh, victim
system becomes slower and slower... At least on my machine, maybe when
Apache is running on a lightspeed workstation this script makes no
difference.

PS. Fast connection should help... All depends on victim's system
performance.

_______________________________________________________________________
Michal Zalewski [tel 9690] | finger 4 PGP [lcamtuf@boss.staszic.waw.pl]
=--------- [ echo "while [ -f \$0 ]; do \$0 &;done" >_;. _ ] ---------=

=-=

From lcamtuf@POLBOX.COM Tue Jan  6 20:56:03 1998
From: Michał Zalewski 
To: BUGTRAQ@NETSPACE.ORG
Date: Tue, 30 Dec 1997 17:34:47 +0100
Subject: Re: Apache DoS attack?

Apache patch by Mark Lowes:

[...]
+ /* Compress multiple '/' characters into one */
+ /* To prevent "GET //////..." attack */
[...]

After a few tests I discovered that Apache first looks for files
[index|homepage].[html|shtml|cgi] (probably it makes over 32000
chdirs :), then dies, throwing 'filename too long' error into logs.
Client gets 'Forbidden' response and disconnects. But httpd child
process still stays in background, wasting large amount of CPU time
and system resources. Note it happends _only_ after this error,
so '//...' sequence must as long as it's possible (about 7 kB).
The PERFECT httpd patch should also fix httpd's cleanup, to make
httpd a little more stable :)

_______________________________________________________________________
Michal Zalewski [tel 9690] | finger 4 PGP [lcamtuf@boss.staszic.waw.pl]
=--------- [ echo "while [ -f \$0 ]; do \$0 &;done" >_;. _ ] ---------=

=-=

From zen@CRIMELAB.NET Tue Jan  6 20:57:30 1998
From: Zen 
To: BUGTRAQ@NETSPACE.ORG
Date: Tue, 30 Dec 1997 06:08:49 -0600
Subject: Re: Apache DoS attack?

Zalewski  wrote:
: Here's a simple exploit for Apache httpd version 1.2.x (tested on
: 1.2.4). When launched, causes incerases of victim's load average and
: extreme slowdowns of disk operations. On my i586 Linux annoying slowdown
: has been experienced immediately (after maybe 5 seconds). After about 4
: minutes work has been turned into real hell (286?).

I just tested this exploit on Apache httpd versions 1.0.x, 1.1.x, 1.2.x,
and 1.3.x (beta). All of the versions seem to be affected in one way or
another, but the 1.0.x and 1.1.x seems to be less effective, since the
load average goes down right after the attack has stopped, unlike 1.2.x
and 1.3.x, which kept going even after the attack has stopped.

--
Zen 
Fourth Law of Revision:
        It is usually impractical to worry beforehand about
interferences -- if you have none, someone will make one for you.