Re: Apache DoS attack?

Pancrazio DE MAURO (pdemauro@datanord.it)
Tue, 30 Dec 1997 18:10:17 +0100

> Here's a simple exploit for Apache httpd version 1.2.x (tested on 1.2.4).
> When launched, causes incerases of victim's load average and extreme
> slowdowns of disk operations.

[...]

> Attached program ('beck') is a shell script. It works by sending
> excessive http requests with thousands of '/'s inside (parsed from file
> 'beck.dat').

Here a simple workaround to temporarily solve the problem: before going
any further, this patch scans the URI provided by the client, and returns
an error if it contains more than PDM_MAX_SLASHES separators. The default
is 30, it should be plenty enough for most situations.

In case of an URI being trapped, this patch logs an entry into your error
log with URI and address of client. Beware, your log can become really
big.

As usual, cd to your src directory and patch with

patch < apache_patch

or proceed by hands.

I've tested it with apache 1.2.4 on Linux 2.0.29, Pentium 90 with 32 MB of
RAM. It works well with beck, even with multiple attacks.

It's by no means a permament solution, I think the Apache guys will have
to rewrite something in the URI parsing code.

Hey, I'm no Apache guru, this is just a quick hack so... use it at your
own risk :-)

---8<---CUT HERE---8<---

*** http_protocol.c.orig Fri Aug 15 19:08:51 1997
--- http_protocol.c Tue Dec 30 17:40:44 1997
***************
*** 643,648 ****
--- 643,665 ----
r->method = getword_white(r->pool, &ll);
uri = getword_white(r->pool, &ll);
uri = check_fulluri(r, uri);
+ /* PDM */
+ {
+ #define PDM_MAX_SLASHES 30
+ int i, count;
+ char c;
+
+ count = 0;
+ for(i = 0; ((c = uri[i]) != '\0') && (count < PDM_MAX_SLASHES); i++)
+ if((uri[i] == '/') || (uri[i] == '\\'))
+ count++;
+ if(count >= PDM_MAX_SLASHES) {
+ log_printf(r->server, "Warning: URI `%s' from %s contains too many directory separators, possible DoS attack?", uri, get_remote_host(r->connection, r->per_dir_config, REMOTE_NAME));
+ r->status = HTTP_REQUEST_URI_TOO_LARGE;
+ return 0;
+ }
+ }
+ /* PDM */
parse_uri (r, uri);

r->assbackwards = (ll[0] == '\0');

---8<---CUT HERE---8<---

Greetings,

--
Pancrazio `Ezio' DE MAURO       Networking Division
Datanord Multimedia             E-mail: pdemauro@datanord.it
Via Tortona, 31                 WWW: http://www.datanord.it/
20144 Milano - Italy            Phone: +39 2 4895 61 - Fax: +39 2 4895 6327
ATTENZIONE: NUOVI NUMERI DI TELEFONO --- NOTICE: NEW TELEPHONE NUMBERS