lists.openwall.net   lists  /  announce  john-users  owl-users  popa3d-users  /  xvendor  oss-security  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4 
Open Source and information security mailing list archives
 
Order Openwall GNU/*/Linux 2.0 on a CD with delivery worldwide
[<prev] [next>] [<thread-prev] [month] [year] [list] 
From: lcamtuf at ghettot.org (Michal Zalewski)
Subject: DoS in Apache 2.0.52 ?

On Mon, 1 Nov 2004, Chintan Trivedi wrote:

> GET / HTTP/1.0\n
> [space] x 8000\n
> [space] x 8000\n
> [space] x 8000\n
> .
> .
> 8000 times

> I created 25 threads (connections) and send the above request to one
> webserver.

This is circa 1.5 GB of data (61 MB per connection), at which point you
probably either caused an (improperly configured) server to kill random
processes on OOM, or swapped it to death.

This seems to be a valid DoS, and Apache most certainly should refuse such
an attack (historically, they had several other header parsing flaws).
This attack is probably not particularly efficient, compared to, say, a
good old connection flood, should you have 1.6 GB of bandwidth to spare.

/mz

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux