Bugtraq mailing list archives
Re: a cheesy Apache / IIS DoS vuln (+a question)
From: Gadi Evron <ge () linuxbox org>
Date: Fri, 5 Jan 2007 01:11:51 -0600 (CST)
On Wed, 3 Jan 2007, William A. Rowe, Jr. wrote:
Michal Zalewski wrote:I feel silly for reporting this, but I couldn't help but notice that Apache and IIS both have a bizarro implementation of HTTP/1.1 "Range" header functionality (as defined by RFC 2616). Their implementations allow the same fragment of a file to be requested an arbitrary number of times, and each redundant part to be received separately in a separate multipart/byteranges envelope.Batten down the hatches!(An example would be an "old-fashioned" attack on a server that happens to host multi-gigabyte ISO files or movies - simply request them many times and let window scaling do the rest... of course, most high-profile sites are smart enough to host static HTML and basic layout elements separately from such bandwidth-intensive and non-essential content, so it still makes sense to take note of "Range" behavior).Seriously, HTTP pipelining can accomplish EXACTLY the same thing with minimal pain. If you have an issue with this behavior, of HTTP, then you have an issue with the behavior under FTP or a host of other protocols. And as you say, simple enough to find some 1.5mb pdf's. But you expect 1gb window sizes to actually succeed? In 95% of the cases that follow your comment above, although the load may be often be distributed between boxes based on computational intensity, it is nearly always shoved down the same pipe in the end.Combined with the functionality of window scaling (as per RFC 1323)is exactly where your concern should lay - socket kernel-level control of unrealistic window scaling, and similar scaling restrictions at the router layer. With the host of real issues out there in terms of massively parallel DDoS infrastructures that abound, this is, as you say, quite a silly report.
Wrong. Any vulnerability, no matter how many others are out there or how
unlikely, is indeed a vulnerability.
As one of the people leading the battle againt what you refer to as
"massively parallel DDoS infrastructures", I can tell you I am almost
inclined to giggle here.
Is all you are saying: "YES but mine is better?"
Gadi.
Current thread:
- a cheesy Apache / IIS DoS vuln (+a question) Michal Zalewski (Jan 03)
- Re: a cheesy Apache / IIS DoS vuln (+a question) William A. Rowe, Jr. (Jan 04)
- Re: a cheesy Apache / IIS DoS vuln (+a question) Michal Zalewski (Jan 04)
- Re: a cheesy Apache / IIS DoS vuln (+a question) William A. Rowe, Jr. (Jan 04)
- Re: a cheesy Apache / IIS DoS vuln (+a question) Michal Zalewski (Jan 04)
- Re: a cheesy Apache / IIS DoS vuln (+a question) Michal Zalewski (Jan 04)
- Re: a cheesy Apache / IIS DoS vuln (+a question) Michal Zalewski (Jan 04)
- Re: a cheesy Apache / IIS DoS vuln (+a question) William A. Rowe, Jr. (Jan 04)
- Re: a cheesy Apache / IIS DoS vuln (+a question) Gadi Evron (Jan 08)
- Re: a cheesy Apache / IIS DoS vuln (+a question) Rob Sherwood (Jan 04)
- Re: a cheesy Apache / IIS DoS vuln (+a question) William A. Rowe, Jr. (Jan 09)
- Re: a cheesy Apache / IIS DoS vuln (+a question) bugtraq (Jan 10)