Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Apache Distributed Denial of Service

From: Elias Levy <aleph1 () SECURITYFOCUS COM>
Date: Fri, 11 Aug 2000 19:10:11 -0700
From: "Security Operations Center 1 - farm9" <soc () farm9 com>
To: <SOC () farm9 com>
Subject: Apache Distributed Denial of Service
Date: Thu, 10 Aug 2000 18:02:52 -0700
Message-ID: <NEBBIPHGEKCNBLNBIDKHAEEICJAD.soc () farm9 com>

Apache Distributed Denial of Service

August 10, 2000
4:51 pm PST

We are seeing what we believe is a Windows-based DDOS attack against Apache
servers involving over 500 hosts.  If you are seeing this at your site
and/or know more about the attacking software please contact the farm9
Security Operations Center at soc () farm9 com

On Thursday August 8, 2000 at 10:46 am PST, one of our clients began
receiving numerous Distributed Denial of Service (DDOS) attacks originating
from over 500 different IP address. The attack is continuous and ongoing
through the time of this writing.

Originator systems are all windows based and are located at a mixture of
individual, commercial and military site. E-mail notification was sent on
8/10/00 to some originator IP addresses.

The attack was unsuccessful due to the fact that the targeted system is
running a later version of Apache that is not vulnerable to the attack.

Contact has been initiated with the network managers and postmasters of the
informing the system owners that attacks were originating from their
machines.  Responses from originator sites are still pending.

The signature for this type of attack is that IP packets have the SLASHES in
the data frames that are sent to the target system. This attack signature is
consistent with the HTTP_Apache_DOS Attack.

HTTP Apache Attack Description
Technical Description: By requesting a URL which contains thousands of
slashes ('/'), an Apache Web server can be put into a state where it will
use an increasing amount of CPU time. This can deny service to other users.

Why this is important: This attack can cause your web server to become
inaccessible, or at least painfully slow.

Systems affected: Apache Web server prior to 1.2.5
What to do: Upgrade your Apache server to 1.2.5 or later.

Prepared by:
Farm9.com, Inc.
Security Operations Center
soc () farm9 com
Contact:   Guy Morgan gmorgan () farm9 com   or  George Milliken
gmilliken () farm9 com

###

Regards,
Incident Response Coordinator
Security Operations Center
SOC () farm9 com


www.farm9.com
Intrusion Prevention
And Incident Response


----- End forwarded message -----

--
Elias Levy
SecurityFocus.com
http://www.securityfocus.com/
Si vis pacem, para bellum
Previous By Date Next
Previous By Thread Next

Current thread: