Re: Apache DoS attack?

=?US-ASCII?Q?Micha=B3_Zalewski?= (lcamtuf@POLBOX.COM)
Tue, 30 Dec 1997 17:34:47 +0100

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Zen: "Re: Apache DoS attack?"
Previous message: Mark Whitis: "Re: StackGuard: Automatic Protection From Stack-smashing Attacks"
Maybe in reply to: =?UNKNOWN-8BIT?Q?Micha=B3?= Zalewski: "Apache DoS attack?"
Next in thread: Zen: "Re: Apache DoS attack?"

Apache patch by Mark Lowes:

[...]
+ /* Compress multiple '/' characters into one */
+ /* To prevent "GET //////..." attack */
[...]

After a few tests I discovered that Apache first looks for files
[index|homepage].[html|shtml|cgi] (probably it makes over 32000
chdirs :), then dies, throwing 'filename too long' error into logs.
Client gets 'Forbidden' response and disconnects. But httpd child
process still stays in background, wasting large amount of CPU time
and system resources. Note it happends _only_ after this error,
so '//...' sequence must as long as it's possible (about 7 kB).
The PERFECT httpd patch should also fix httpd's cleanup, to make
httpd a little more stable :)

_______________________________________________________________________
Michal Zalewski [tel 9690] | finger 4 PGP [lcamtuf@boss.staszic.waw.pl]
=--------- [ echo "while [ -f \$0 ]; do \$0 &;done" >_;. _ ] ---------=

Next message: Zen: "Re: Apache DoS attack?"
Previous message: Mark Whitis: "Re: StackGuard: Automatic Protection From Stack-smashing Attacks"
Maybe in reply to: =?UNKNOWN-8BIT?Q?Micha=B3?= Zalewski: "Apache DoS attack?"
Next in thread: Zen: "Re: Apache DoS attack?"