Security Incidents mailing list archives
Apache Distributed Denial of Service
From: Elias Levy <aleph1 () SECURITYFOCUS COM>
Date: Fri, 11 Aug 2000 19:10:11 -0700
From: "Security Operations Center 1 - farm9" <soc () farm9 com> To: <SOC () farm9 com> Subject: Apache Distributed Denial of Service Date: Thu, 10 Aug 2000 18:02:52 -0700 Message-ID: <NEBBIPHGEKCNBLNBIDKHAEEICJAD.soc () farm9 com> Apache Distributed Denial of Service August 10, 2000 4:51 pm PST We are seeing what we believe is a Windows-based DDOS attack against Apache servers involving over 500 hosts. If you are seeing this at your site and/or know more about the attacking software please contact the farm9 Security Operations Center at soc () farm9 com On Thursday August 8, 2000 at 10:46 am PST, one of our clients began receiving numerous Distributed Denial of Service (DDOS) attacks originating from over 500 different IP address. The attack is continuous and ongoing through the time of this writing. Originator systems are all windows based and are located at a mixture of individual, commercial and military site. E-mail notification was sent on 8/10/00 to some originator IP addresses. The attack was unsuccessful due to the fact that the targeted system is running a later version of Apache that is not vulnerable to the attack. Contact has been initiated with the network managers and postmasters of the informing the system owners that attacks were originating from their machines. Responses from originator sites are still pending. The signature for this type of attack is that IP packets have the SLASHES in the data frames that are sent to the target system. This attack signature is consistent with the HTTP_Apache_DOS Attack. HTTP Apache Attack Description Technical Description: By requesting a URL which contains thousands of slashes ('/'), an Apache Web server can be put into a state where it will use an increasing amount of CPU time. This can deny service to other users. Why this is important: This attack can cause your web server to become inaccessible, or at least painfully slow. Systems affected: Apache Web server prior to 1.2.5 What to do: Upgrade your Apache server to 1.2.5 or later. Prepared by: Farm9.com, Inc. Security Operations Center soc () farm9 com Contact: Guy Morgan gmorgan () farm9 com or George Milliken gmilliken () farm9 com ### Regards, Incident Response Coordinator Security Operations Center SOC () farm9 com www.farm9.com Intrusion Prevention And Incident Response ----- End forwarded message ----- -- Elias Levy SecurityFocus.com http://www.securityfocus.com/ Si vis pacem, para bellum
Current thread:
- Apache Distributed Denial of Service Elias Levy (Aug 12)
- <Possible follow-ups>
- Apache Distributed Denial of Service Security Operations Center 1 - farm9 (Aug 13)