Attack On a Significant Flaw In Apache Released

← Back to Stories (view on slashdot.org)

Attack On a Significant Flaw In Apache Released

Posted by kdawson on Friday June 19, 2009 @02:17AM from the take-it-slow dept.

Zerimar points out a significant flaw in Apache that can lead to a fairly trivial DoS attack is in the wild. Apache 1.x, 2.x, dhttpd, GoAhead WebServer, and Squid are confirmed vulnerable, while IIS6.0, IIS7.0, and lighttpd are confirmed not vulnerable. As of this writing, Apache Foundation does not have a patch available. From Rsnake's introduction to the attack tool: "In considering the ramifications of a slow denial of service attack against particular services, rather than flooding networks, a concept emerged that would allow a single machine to take down another machine's web server with minimal bandwidth and side effects on unrelated services and ports. The ideal situation for many denial of service attacks is where all other services remain intact but the webserver itself is completely inaccessible. Slowloris was born from this concept, and is therefore relatively very stealthy compared to most flooding tools."

14 of 203 comments (clear)

So slashdot... by santax · 2009-06-19 02:22 · Score: 5, Funny

be prepared to feel the slashdot-effect yourself for once!
1. Re:So slashdot... by jamie · 2009-06-19 03:13 · Score: 4, Informative
  
  We have a hardware load-balancer and a software reverse proxy (varnish) in front of our apache.
  I kinda doubt this would work on us.
  Note, I am not inviting anyone to try. It might work great for all I know :(
Boring by Anonymous Coward · 2009-06-19 02:29 · Score: 5, Insightful

Talk about a boring exploit: no chance for expanding the attack into anything other than a DOS, and if it becomes widespread enough, fairly trivial to fix... (just kill the oldest waiting client that does not have a full header when the last client is taken.) I'd be embarrassed to publish something like this....
iptables helps by samjam · 2009-06-19 02:30 · Score: 4, Informative

You can have perlbal or any reverse proxy on the same machine but listening on a different port and then use iptables to redirect like this
# iptables -t nat -A -PREROUTING -d ! 127.0.0.1 -p tcp -m tcp --dport 8080 -j REDIRECT --to-ports 80
and then you don't need to change your apache configuration - and having apache listen on a different port to what users see can break some scripted sites if they read the port number from the apache config.

--
blog.sam.liddicott.com
Seems to be a general problem. by Z00L00K · 2009-06-19 02:30 · Score: 4, Insightful

And the only resolution right now that I can see is to have a connection timeout.
At least the problem is a denial of service problem and not a problem with intrusion so the damage is easily rectified - restart the web server. Not that you really want to restart it.
And I suspect that other services can be vulnerable to this type of attack too, not only web servers.

--
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
Re:Possible work-around by Bootvis · 2009-06-19 02:47 · Score: 5, Funny

The thing that is really amazing about this hack: Human readable perl!

--
Read, refresh, repeat.
Re:Why not IIS? by Opportunist · 2009-06-19 02:51 · Score: 4, Funny

If the vulnerability is based on correct, standard conform behaviour of the server, I can see why IIS isn't susceptible to it.

--
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
HTTP hints at a solution by greed · 2009-06-19 02:54 · Score: 5, Informative

HTTP 1.1 specifies a status code for "Request Timeout" (408) and "Gateway Timeout" (504).
What is needed, therefore, is a timer running for receiving the complete header, and a second one for accepting the body. The timer for the body can be controlled by the type of request and the Content-Length header. (With, of course, a specific cap.)
Currently, Apache 2.2 has a single timeout value for all types of requests, but it is interpreted differently for the different types.
If your server only handles GETs, the obvious thing is to crank that number down. Unfortunately, for PUTs, the TimeOut value affects inter-packet time in the request, not overall request time.
Strangely, the timeout doesn't seem to run in 2.2.10 and 2.2.11 before data is received. Oh dear. That's an even simpler DoS.

#!/usr/bin/env perl use IO::Socket::INET; use strict; use constant DEFAULT_PORT => "http"; MAIN: { if(@ARGV<1 or @ARGV>2) { die "Usage: $0 host [port]\n"; } my($host)=shift; my($port)=@ARGV?shift:DEFAULT_PORT; my(@sockets); for(my $cnt=0;$cnt<1000;++$cnt) { my $socket=new IO::Socket::INET(PeerAddr=>$host, PeerPort=>$port, Proto=>"tcp"); unless(defined($socket)) { die "Cannot create socket to $host:$port--$!\n"; } $socket->print("\r\n"); push(@sockets,$socket); print " Have ".@sockets." open.\n"; } }

Not quite as stealthy, though. At least as above.
1. Re:HTTP hints at a solution by greed · 2009-06-19 03:48 · Score: 5, Funny
  
  BTW, is there a self-mod value for "I'm not sure I should have posted that"?
Re:Why not IIS? by Amouth · 2009-06-19 03:03 · Score: 5, Informative

unless you are using Session()'s in asp in IIS then one thread in IIS handles multiple connections.
what this is doing is opening a connection (getting a thread to work it) and holding it open (keeping the thread busy) and just keep asking for new ones.
it is very common (always i think) for Apache and allot of web servers to have a max thread's so that the site under heavy traffic doesn't open more connections than it can handle.
where IIS also has a worker thread limit - there is no limit *(you can set one - but not on by default) on how many concurrent connections can be managed by a thread (and new incoming connections are passed to the thread with the lowest current work load - not always the one with less connections)..
if you do what they are doing here i can see IIS behavior would be to slowly pile all these slow - no work connections into one thread and the others would happily go about doing actual work..
where apache would slowly lose access to workable threads as this keeps them busy.
this isn't an exploit on the http or tcp protocol - it is an exploit based on the behavior of the web server based on it's best practices for managing it.

--
'...if only "Jumping to a Conclusion" was an event in the Olympics.'
Re:Why not IIS? by Malc · 2009-06-19 03:08 · Score: 5, Insightful

Does the HTTP spec say anything about the server application timing out the connection? Seems like reasonable behaviour to me. I would be surprised if this isn't a configurable option in Apache too.
People love to hate it, but IIS has matured in to a very good web server. It's my choice over Apache.
Re:WTH? This is an absolutely trivial attack by dword · 2009-06-19 03:20 · Score: 4, Informative

Let me make this clearer for those that aren't very technical: It's holding an HTTP session open and Apache has a limited number of simultaneous HTTP sessions.
All someone has to do is send about 100 requests to your website and leave them open without sending any further information. Nobody else will be able to connect to your web server for a long time. The weekend is coming, so I'm expecting lots of downtime for government sites in the next couple of days...
Re:Why not IIS? by Bemopolis · 2009-06-19 04:09 · Score: 5, Funny

Why isn't IIS vulnerable
My guess is that the DoS attack is so slow that, by the time it would have completed, the server has already crashed for a different reason.

--
"I guess the moral of the story is, don't paint your airship with rocket fuel." -- Addison Bain
Link to the specific article by Megane · 2009-06-19 05:21 · Score: 4, Informative

If you're going to post links to isc.sans.org, can you please post links to the specific article, and not just the main page?
Here is the link to the specific article: http://isc.sans.org/diary.html?storyid=6601

--
#naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }