[7631] in bugtraq
Re: Apache DoS Attack
daemon@ATHENA.MIT.EDU (Pim van Riezen)
Wed Aug 12 16:22:57 1998
Date: Tue, 11 Aug 1998 21:48:31 -0700
Reply-To: pim@WEBCITY.NL
From: Pim van Riezen <pim@WEBCITY.NL>
To: BUGTRAQ@NETSPACE.ORG
Jonathan Freeman wrote:
>
> We just tested the Sioux (Apache DoS) bug on:
>
> <> IIS 3.0 (Service Pack 3)
>
> causes immediate jump to 100% CPU for approx. 5 seconds
> multiple attacks can keep the CPU in the 90% range
>
> <> IIS 4.0 (Service Pack 3)
>
> causes immediate jump to 80% CPU for approx. a half second
> multiple attacks DO NOT cause more thank 40% sustained CPU
> range
>
> <> Apache 1.1.1 (Unix) (Caldera OpenLinux)
>
> causes jump to 66% CPU for each get request and attempts
> to use all available swap space for memory. Can be DoS'd
> easily.
>
> <> WebSitePro 2.3.4 (Service Pack 3)
>
> causes immediate jump to 99% CPU for approx. 5 seconds
> unknown if DoS would be possible for multiple attacks
Is there any good reason for any of these programs to merge headers
internally in the first place? I'm wonder because I am actually working
on a webserver and noted that the code wasn't vulnerable because of the
way I chose to implement header-handling (which didn't include any
header-merging code). I wonder if there are any situations where a
client legitimately sends two headers of the same type (in which case I
would have to add header-merging code) or is this following conventions
for the sake of following conventions (in which case I might feel
inclined to stay lazy :-)? Input is welcome.
Regards,
Pim van Riezen
--
"I'm at the corner of Walk and Don't Walk, where shall we meet?"
Operations - SaltLake.UT.US.Undernet.Org
Channel LART - #linux Undernet
Programmer sometimes LART - Microhill Automation
Cat5 Monkey - Webcity / Internet Facilities Europe
Eerie-eyed Visionair Software Developer - StealthTech Networking
