Full Disclosure mailing list archives
Re: DoS in Apache 2.0.52 ?
From: Michal Zalewski <lcamtuf () ghettot org>
Date: Mon, 1 Nov 2004 16:38:42 +0100 (CET)
On Mon, 1 Nov 2004, Chintan Trivedi wrote:
GET / HTTP/1.0\n [space] x 8000\n [space] x 8000\n [space] x 8000\n . . 8000 times
I created 25 threads (connections) and send the above request to one webserver.
This is circa 1.5 GB of data (61 MB per connection), at which point you probably either caused an (improperly configured) server to kill random processes on OOM, or swapped it to death. This seems to be a valid DoS, and Apache most certainly should refuse such an attack (historically, they had several other header parsing flaws). This attack is probably not particularly efficient, compared to, say, a good old connection flood, should you have 1.6 GB of bandwidth to spare. /mz _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- DoS in Apache 2.0.52 ? Chintan Trivedi (Nov 01)
- Re: DoS in Apache 2.0.52 ? Mauro Flores (Nov 01)
- Re: DoS in Apache 2.0.52 ? Chintan Trivedi (Nov 01)
- Re: DoS in Apache 2.0.52 ? Michal Zalewski (Nov 01)
- <Possible follow-ups>
- Re: DoS in Apache 2.0.52 ? Daniel Guido (Nov 17)
- Re: DoS in Apache 2.0.52 ? Mauro Flores (Nov 01)