Attack On a Significant Flaw In Apache Released
Zerimar points out a significant flaw in Apache that can lead to a fairly trivial DoS attack is in the wild. Apache 1.x, 2.x, dhttpd, GoAhead WebServer, and Squid are confirmed vulnerable, while IIS6.0, IIS7.0, and lighttpd are confirmed not vulnerable. As of this writing, Apache Foundation does not have a patch available. From Rsnake's introduction to the attack tool: "In considering the ramifications of a slow denial of service attack against particular services, rather than flooding networks, a concept emerged that would allow a single machine to take down another machine's web server with minimal bandwidth and side effects on unrelated services and ports. The ideal situation for many denial of service attacks is where all other services remain intact but the webserver itself is completely inaccessible. Slowloris was born from this concept, and is therefore relatively very stealthy compared to most flooding tools."
Of course it's boring to the /. crowd. It affects an open source product, so it must be boring. However, if the roles had been reversed and IIS was affected, everyone would be up in arms screaming defective by design etc. You people make me sick.
Only 40 comments? OK, I will do my nerd duty and get the flame war started:
This event is proof that proprietary software is more secure that open source.
Next up: Emacs: better than vi or way better than vi?
I guess that's a good thing... you've raised the level of compentence of IIS Admins by leaving. Thanks, Bill
It's my Sig and you can't have it. Mine! All Mine!