Spread the love

For those of you that haven’t heard (you must live under a rock), there is currently an unpatched DoS attack against all Apache Web servers that can easily be executed from a single computer. A Perl script was posted to the Full Disclosure mailing list last weekend.

I run Apache 2.2 on TheXploit.com so I thought it’d be an interesting experiment to see what happens. So, here we go: Apache Killer vs. TheXploit

Executing The Attack: Impressive

I fired up a Linux box and ran

perl apachekiller.pl thexploit.com 50
host seems vuln
ATTACKING thexploit.com [using 50 forks]

Less than a minute had gone by and TheXploit.com was completely unreachable. Requests to the site simply said Connecting… but the page never loaded.

Apache Killer Wins: What happened?

The Apache Killer script requests several overlapping ranges of bytes of (the same) data in a single request (approximately 1300). Each range of bytes is turned into a fetch of data which is kept in memory.

The second parameter to Apache Killer is the number of Range requests to make – in our case 50. This means that we effectively made 50 * 1300 = 65000 requests – all of which consumed a piece of memory.

That means memory on the server started filling up very quickly. So quickly, that OS page swapping started kicking in. Check out the massive spike in disk io

Next came the email alert

Your Linode has exceeded the notification threshold (1000) for disk io rate by averaging 1631.06 for the last 2 hours.

At this point, the only thing I could do to return to normal operations was restart the server.

Protection

Update Aug 30 – Apache 2.2.20 released to fix this
Until Apache releases an update, the attack is pretty easily avoidable with a simple workaround.

In /etc/apache2/httpd.conf

# drop Range header when more than 5 ranges.
# CVE-2011-3192
SetEnvIf Range (,.*?){5,} bad-range=1
RequestHeader unset Range env=bad-range

Alternatively, if you’re using CloudFlare on your blog – you’re already protected.

So how did your server fair? Did it last longer than a minute?

Related Posts: