[7682] in bugtraq
Re: YA Apache DoS attack
daemon@ATHENA.MIT.EDU (Kovacs Andrei)
Sat Aug 15 22:02:45 1998
Date: Sun, 16 Aug 1998 02:18:38 -0200
Reply-To: Kovacs Andrei <andik@ns.upet.ro>
From: Kovacs Andrei <andik@NS.UPET.RO>
X-To: Dag-Erling Coidan =?ISO-8859-1?Q?Sm=F8rgrav?= <finrod@EWOX.ORG>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <861zqspvtw.fsf@niobe.ewox.org>
On Fri, 7 Aug 1998, Dag-Erling Coidan [ISO-8859-1] Sm=F8rgrav wrote:
> There seems to be a simple way of badly DoSing any Apache server. It
> involved a massive memory leak in the way it handles incoming request
> headers. I based my exploit on the assumption that they use setenv()
> (which they don't) and that the bug occurs when you send a header tha=
t
> will end up as an environment variable if you request a CGI script
> (such as User-Agent), but I have since verified that there is no
> connection there. Anyway, you can blow Apache through the roof by
> sending it tons of headers - the server's memory consumption seems to
> be a steep polynomial of the amount of data you send it. Below is a
> snapshot of top(1) about one minute after I sent my server a request
> with 10,000 copies of "User-Agent: sioux\r\n" (totalling 190,016 byte=
s
> of data)
>
Today when I was looking at the Apache 1.3.1 help files i've fo=
und a
parameter that might stop this: "RLimitMem". I guess this should make A=
pache
use only the amount of memory that you want to.
Andy
