Full Disclosure mailing list archives
Re: Apache Killer
From: "-= Glowing Sex =-" <doomxd () gmail com>
Date: Wed, 24 Aug 2011 11:03:30 +1000
oops.. forgot to cc the list :P wuld maybe help... Yes, i still think a nice .sh/.patch for this would be great for things like productuion boxes wich run 400 or so sites and need a fast fix b4 things start to crumble :s.. in my case, it is one box out of 10 wich is being the pain, and, i dont want to reinstall even if i can avoid it. On 24 August 2011 11:01, -= Glowing Sex =- <doomxd () gmail com> wrote:
Hello, Thanks, I will try this, and also disabling gzip compression, i dont have mod_deflate on this particular 8.0 bsd production box, so i will run with the gzip and, try to add this into the headers module.. i am sure there should be something made, like a small bash script, to patch any apache against this.. need to find a universal patch instead of, having to reinstall/reconfigure things, and a patch wich would not render componentry useless... i hope this is what happens... a solid .patch or unified diff file would be perfect but, the version on Amazon VPS service is completely immune to this, and they would be running alot of devel stuff.. Well in theyre free section... I have a vps thru theyre free service,and it is immune,but how to make something wich is a patch.sh / patch.patch and make it workable for production boxes wich should not be offline for even 10minutes really. cheers, xd On 24 August 2011 10:54, Nam Nguyen <namn () bluemoon com vn> wrote:Disabling Partial Content would be workable. 1. Load up headers_module. 2. Add this line: RequestHeader unset Range. I hope that helps. -- Nam Nguyen, CISA, CISSP, CSSLP Blue Moon Consulting Co., Ltd http://www.bluemoon.com.vn On Wed, 24 Aug 2011 08:54:53 +1000 "-= Glowing Sex =-" <doomxd () gmail com> wrote:Yea, i think only way to get around it is to upgrade httpd versions.. I tried it on freeBSD8.2 standard default settings and httpd devel andthatseems fine, even standard httpd alone on another box, again running 8.2,isfine. Some boxes also seem to only consume ram, when it is swap that is therealkiller... it also is not possible to b stopped with apache commands,oncethe box starts tipping, you must killall -9 httpd , just to stop the box from tipping over, this is when the script is execd against it intesting,we were able to only stop it that way, on a badly affected httpd. I still wish apache.org would at the least release some form ofadvisory forthis and help for some people who dislike upgrades :s like bosses withsmallpockets ;p cheers xd On 24 August 2011 08:47, <nix () myproxylists com> wrote:Reagrding this bug, The release should have also specified a bugfix / workaround,ofcourseusually this is the case, altho the one i have seen, does not workon allboxes. On a BSD 8.0 box, it killed eveything, swap/ram, eveythingdied/neededreboot. now, what is quite annoying, i guess is that i had someonegothru my setup, aswell as myself, to check for anything that could triggerit,we found the gzip lines, but nothing else for mod_deflate so we wentaheadand restarted, and bang, dead again... what do we do here ? Apache has done nothing about this, there is no UN officialpatching,thisis nasty... Please, any suggestions for patching this, seriously, it should not be that i must have to shutdown a company webserver, incasesomeoneshould attack it. Regards, xd'perl killapache.pl mysite.com 50' said: Host does not seemvulnerable andit did exited instantly. Tested it against local linux site using Apache 2.2.19 and the remotesiteuses 2.2.17.On 21 August 2011 01:31, Levente Peres <sheridan () sansz org> wrote:My findings, hope it helps... Properly configured HAProxy withqueuemanagement and per-server limits can dampen the effects quite drastically. In my testing (three low-end SunFire servers and a LB) an attackvolumeof well over a 1000 threads was necessary to notice any small speed degradation on the frontend - which triggeres anti DOS immediatelyifdone from outside LAN. System immediately recovers fully when theattackstops, no coredumps, nothing, not even after half an hour ofsustainedattack. No crashing or unstability whatsoever happened on anyservers,not even at 2000, but dared not to test further on a live system...Ifperformed from multiple IPs or varied content etc however, apatternrecognition scheme would be necessary to block it I believe... Also tested it with a simple one-server setup with Squid as frontendbeforeapache, it reported not vulnerable... Not tested any further yet. Done on a "barefoot" apache however, it was devastating even at 100 threads regardless the lots of RAM and quadcode setup :-( Levente 2011.08.20. 14:31 keltezéssel, HI-TECH . írta:Disabling mod_gzip/mod_deflate is a workaround I guess. 2011/8/20 Moritz Naumann<security () moritz-naumann com>:On 20.08.2011 00:23 HI-TECH . wrote:(see attachment) /KingcopeWorks (too) well here. Are there any workarounds other than rate limiting or detecting + dropping the traffic IPS-wise? Moritz_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ --- avast! Antivirus: Inbound message clean. Virus Database (VPS): 110819-1, 2011.08.19 Tested on: 2011.08.20. 14:32:33 avast! - copyright (c) 1988-2011 AVAST Software. http://www.avast.com_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Apache Killer HI-TECH . (Aug 19)
- Re: Apache Killer Moritz Naumann (Aug 20)
- Re: Apache Killer HI-TECH . (Aug 20)
- Re: Apache Killer Levente Peres (Aug 20)
- Re: Apache Killer -= Glowing Sex =- (Aug 23)
- Re: Apache Killer nix (Aug 23)
- Re: Apache Killer -= Glowing Sex =- (Aug 23)
- Message not available
- Message not available
- Re: Apache Killer -= Glowing Sex =- (Aug 23)
- Re: Apache Killer HI-TECH . (Aug 20)
- Re: Apache Killer Moritz Naumann (Aug 20)
- Re: Apache Killer HI-TECH . (Aug 22)
- Re: Apache Killer Michal Zalewski (Aug 23)
- Re: Apache Killer -= Glowing Sex =- (Aug 23)
- Re: Apache Killer HI-TECH . (Aug 24)
- Re: Apache Killer HI-TECH . (Aug 24)
- Re: Apache Killer Michal Zalewski (Aug 24)
- Re: Apache Killer HI-TECH . (Aug 24)
- Re: Apache Killer Dirk-Willem van Gulik (Aug 25)