Received: (qmail 23969 invoked by uid 2012); 21 Dec 1998 18:34:04 -0000 Message-Id: <19981221183404.23968.qmail@hyperreal.org> Date: 21 Dec 1998 18:34:04 -0000 From: Jesus Cea Reply-To: jcea@argo.es To: apbugs@hyperreal.org Subject: Simple and effective DoS: children "reading" X-Send-Pr-Version: 3.2 >Number: 3571 >Category: general >Synopsis: Simple and effective DoS: children "reading" >Confidential: no >Severity: serious >Priority: medium >Responsible: apache >State: closed >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Mon Dec 21 10:40:01 PST 1998 >Last-Modified: Wed Apr 21 00:31:16 PDT 1999 >Originator: jcea@argo.es >Organization: >Release: 1.3.3 >Environment: Solaris 2.5.1 Server: Apache/1.3.3 (Unix) PHP/3.0.5 gcc version 2.7.2 >Description: You can have a very simple but effective Denial of Service simply opening several connections in parallel (telnet/NetCat). Each connection move a child to "Reading" state, disabling it until the connection is closed or timeout arrives. You can launch easily 10 connects per second from a dialup connection, eating all the Apache children. The service would be dead until timeouts expire. >How-To-Repeat: Simply open as many telnet connections as Apache children you had configured. >Fix: None correct, but possible temporal workaround): * Limit simultaneous connections from a single IP. * An unique dispatcher. When you have several request, serve first: * Older requests and * Request with the least concurrency (simultaneous requests) >Audit-Trail: State-Changed-From-To: open-closed State-Changed-By: dgaudet State-Changed-When: Wed Apr 21 00:31:16 PDT 1999 State-Changed-Why: Unfortunately none of the things you suggested are feasible with the current apache architecture. If someone attacks your host this way, filter their IP address. Dean >Unformatted: [In order for any reply to be added to the PR database, ] [you need to include in the Cc line ] [and leave the subject line UNCHANGED. This is not done] [automatically because of the potential for mail loops. ] [If you do not include this Cc, your reply may be ig- ] [nored unless you are responding to an explicit request ] [from a developer. ] [Reply only with text; DO NOT SEND ATTACHMENTS! ]