Re: Apache DoS Attack

[pim () WEBCITY NL (Pim van Riezen)]

Jonathan Freeman wrote:
> We just tested the Sioux (Apache DoS) bug on:
>
>     <>    IIS 3.0  (Service Pack 3)
>
>                causes immediate jump to 100% CPU for approx. 5 seconds
>                multiple attacks can keep the CPU in the 90% range
>
>     <>    IIS 4.0  (Service Pack 3)
>
>                causes immediate jump to 80% CPU for approx. a half second
>                multiple attacks DO NOT cause more thank 40% sustained CPU
> range
>
>     <>    Apache 1.1.1 (Unix)  (Caldera OpenLinux)
>
>                causes jump to 66% CPU for each get request and attempts
>                to use all available swap space for memory.  Can be DoS'd
> easily.
>
>     <>     WebSitePro 2.3.4  (Service Pack 3)
>
>                causes immediate jump to 99% CPU for approx. 5 seconds
>                unknown if DoS would be possible for multiple attacks

Is there any good reason for any of these programs to merge headers
internally in the first place? I'm wonder because I am actually working
on a webserver and noted that the code wasn't vulnerable because of the
way I chose to implement header-handling (which didn't include any
header-merging code). I wonder if there are any situations where a
client legitimately sends two headers of the same type (in which case I
would have to add header-merging code) or is this following conventions
for the sake of following conventions (in which case I might feel
inclined to stay lazy :-)? Input is welcome.

Regards,

Pim van Riezen

--
"I'm at the corner of Walk and Don't Walk, where shall we meet?"

Operations - SaltLake.UT.US.Undernet.Org
Channel LART - #linux Undernet
Programmer sometimes LART - Microhill Automation
Cat5 Monkey - Webcity / Internet Facilities Europe
Eerie-eyed Visionair Software Developer - StealthTech Networking