Re: YA Apache DoS attack

[dag-erli () IFI UIO NO (Dag-Erling Coidan Smørgrav)]

I have gotten a certain amount of response to my posting about the
Apache DoS attack. Rather than follow up to each in particular, I'll
summarize my replies here.

Several of you have pointed out that the Apache team *does* have an
email address for reporting security vulnerabilities. I'm very glad to
hear that; if I ever find a bug in Apache again, I'll report it to
that address and give them a week. Yesterday however, I was slightly
under the shock of the discovery, and slightly pissed at not being
able to find such an address anywhere. I apologize for letting this
cloud my judgement and not giving the Apache team a chance to fix this
before it hit the lists.

Others have pointed out that setting appropriate resource limits for
the server will solve the problem. My reaction to that is that it does
not solve anything; it merely circumvents a nasty bug by causing the
server to die when the bug manifests itself. It does not change the
fact that Apache has a memory consumption curve which is roughly a
polynomial function of the size of its input.

To those of you who wrote along the lines of "I'll have to shut down
my server until a fix comes out", that should not be necessary.
Although not a good permanent solution, resource limits will allow
your server to get through this relatively unscathed until a fix comes
out. If you get hit badly by the kiddies, reduce MaxRequestsPerChild
to a low single-digit number; this will prevent bloated httpd
processes from hanging around too long.

Those of you who tried the exploit and experienced server SIGSEGVs or
"Broken Pipe" error messages from the exploit already have resource
limits in place.

To the Apache team: sorry for springing this on you without warning.
Despite nasty bugs like this, you generally do a very good job of
writing a nice web server. Keep up the good work.

DES
--
Dag-Erling Smørgrav - dag-erli () ifi uio no