Re: Apache DoS attack?

=?US-ASCII?Q?Micha=B3_Zalewski?= (lcamtuf@POLBOX.COM)
Tue, 30 Dec 1997 17:34:47 +0100

Apache patch by Mark Lowes:

[...]
+ /* Compress multiple '/' characters into one */
+ /* To prevent "GET //////..." attack */
[...]

After a few tests I discovered that Apache first looks for files
[index|homepage].[html|shtml|cgi] (probably it makes over 32000
chdirs :), then dies, throwing 'filename too long' error into logs.
Client gets 'Forbidden' response and disconnects. But httpd child
process still stays in background, wasting large amount of CPU time
and system resources. Note it happends _only_ after this error,
so '//...' sequence must as long as it's possible (about 7 kB).
The PERFECT httpd patch should also fix httpd's cleanup, to make
httpd a little more stable :)

_______________________________________________________________________
Michal Zalewski [tel 9690] | finger 4 PGP [lcamtuf@boss.staszic.waw.pl]
=--------- [ echo "while [ -f \$0 ]; do \$0 &;done" >_;. _ ] ---------=