From lcamtuf@BOSS.STASZIC.WAW.PL Sat Jan 10 16:25:04 1998
From: "[iso-8859-2] Micha³ Zalewski"
To: BUGTRAQ@NETSPACE.ORG
Date: Wed, 31 Dec 1997 17:09:22 +0100
Subject: Apache memory/process management.
Here is another (less interesting) example of Apache DoS attack,
called 'beck2'. The only thing I want to show is very ineffective
management of memory, CPU time and other resources. This attack is
possible in two cases:
1. Attacker owns an account on a victim machine, or
2. Victim's directory structure is very deep (?).
When one of above statements is true, it's possible to perform a
remote attack, even when Apache has been already patched against
first version of 'beck'. More details can be deducted from
sources :)
In well-configured system, any kind DoS attack should be at least
ineffective (resources *required* to attack should be significally
larger than resources *affected* by attack ;). Unfortunately, it's
very, very easy to attack Apache servers using minimal amount of
time and brain resources :) Maybe it's time to rewrite larger parts
of code?
_______________________________________________________________________
Michal Zalewski [tel 9690] | finger 4 PGP [lcamtuf@boss.staszic.waw.pl]
=--------- [ echo "while [ -f \$0 ]; do \$0 &;done" >_;. _ ] ---------=
=-=
From dgaudet@ARCTIC.ORG Sat Jan 10 16:25:50 1998
From: Dean Gaudet
To: BUGTRAQ@NETSPACE.ORG
Date: Wed, 31 Dec 1997 12:36:39 -0800
Subject: Re: Apache memory/process management.
I really doubt that bugtraq is the place to continue this discussion. I
suggest that you move it to the Apache development mailing list
new-httpd@apache.org, subscribe via majordomo@apache.org (it's a reply-to
style list so it's not useful for discussion with folks who are off the
list). This is documented in the ABOUT_APACHE file. We also have a bug
reporting system through which you can report these bugs. Remember we're
free software, and if you can help constructively it's appreciated.
I sent this to you in private mail, but I'll post it again here. I said
something like this in my post that contained a patch for your first
problem but that post never seemed to make it to bugtraq.
Apache, like every other network service I'm aware of, is subject to DoS
attacks that consume resources. That's it, period. We can't guarantee
we'll catch every one of them. I really don't think posting them
one-by-one to bugtraq is going to help anything. Perhaps you'd be better
spending your time working on a more generic solution than forcing us to
tweak one problem at a time.
Folks can see some of my thoughts on a related issue, and see yet another
DoS attack, by visiting . That is
specific to memory consumption. But there's obviously more we can do in a
similar vein using resource limits. Doing all of this comes at a
performance penalty.
I don't think I have to explain examples of DoS attacks against all web
servers, or against smtp daemons, or IRC servers, or any number of
networked services. They exist in all of them. Creating generic
workarounds is an effort much more well spent than poking away at the
problems one by one as they're discovered.
Performance problems like the first beck patch are things that we will
notice as we profile the server. Until recently most of my effort on
tuning Apache's performance has been in the syscall area. However in 1.3
there are other changes to how directories are handled that could have an
impact on your beck2 attack. I know for certain that your beck2 attack is
affected by the performance tuning guidelines at
. Specifically the
sections mentioning lstat() and stat().
But the easiest way to fix beck2 is to use mod_rewrite to lift this
problem out of the filesystem. Add these to your config:
RewriteEngine on
RewriteRule /+[^/]+/+[^/]+/+ /yeah-whatever.html
Add any number more slashes as are appropriate for your system. This is
not a decision that Apache can make, slashes do not necessarily have to
have filesystem semantics.
Dean
|