If you've been following our diaries or any other IT Security related news, you probably know about the Apache HTTP DoS tool that was released on Thursday (see the original diary at http://isc.sans.org/diary.html?storyid=6601). |
Bojan 403 Posts ISC Handler Jun 21st 2009 |
Thread locked Subscribe |
Jun 21st 2009 1 decade ago |
I'm glad to have already adopted nginx as a reverse proxy. I'd experienced 'DoS'-like situations caused by legitimate traffic on a busy site where a server-side script had stalled waiting for something and the number of open connections exceeded Apache's maximum. Large PHP scripts cause Apache to use a lot of RAM per thread/process so I couldn't increase MaxClients further. But nginx can handle a *lot* of clients with minimal RAM, so it's possible to even have large KeepAliveTimeout's for better performance without risk of having too many open connections. I limit connections per IP and the speed of connection attempts per IP, to protect against large DoSes.
|
Steven C. 171 Posts |
Quote |
Jun 21st 2009 1 decade ago |
thats the problem, apache will reset the timer if at least one byte is received before timer expiration. lighttpd suffers the same symptoms as well as at least two other closed source http servers. steven's adoption seems the best quick fix for the moment but if a better one should come it will be written following freebsd's accf filters philosophy, altho that will not fix the case of ssl or big post data.
|
Steven C. 7 Posts |
Quote |
Jun 22nd 2009 1 decade ago |
Robert Hansen keeps a blog entry: http://ha.ckers.org/blog/20090617/slowloris-http-dos/ on this topic that you may want to check
|
Steven C. 7 Posts |
Quote |
Jun 22nd 2009 1 decade ago |
anyway, this is not a bug, neither i can call it a flaw, it is just a friendly manner to serve the requests that can be exploited by the bad guy. i don't see anything wrong (ethically speaking) in resetting that timer the way it is (think congestions and the fact that there MAY be real slow clients) but ... one should be prepared to say "I'm sorry but i have to drop you" to the most lazy connection. care should be taken when computing laziness factor on big posts.
|
Steven C. 7 Posts |
Quote |
Jun 22nd 2009 1 decade ago |
Adrian, agree with everything you wrote. Your post, as well as Slowloris can indeed make an Apache server suffer which can be particularly nasty for web hosting companies (for example, not making their SLAs).
There is an unofficial patch for Apache available, I'll check it to see if it helps. |
Bojan 403 Posts ISC Handler |
Quote |
Jun 22nd 2009 1 decade ago |
there are more tools that you may use to test for vulns without attacking the target and a tool that one could use to do a ddos.
namely: ap_finger - to guess the timeouts chinese_death - to check if the server is resetting the read timeout killap - ddos tool all may be found at http://pub.mud.ro/~cia/computing/apache-httpd-denial-of-service-example.html but you need to fix the compile-time errors that keep away bad guys without brains. or i can email to sans working versions |
Bojan 7 Posts |
Quote |
Jun 22nd 2009 1 decade ago |
http://pub.mud.ro/~cia/files/deadsnail/
the fingerprint and vulcheck programs as done 2 years ago (works the same :P ) |
Bojan 7 Posts |
Quote |
Jun 22nd 2009 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!