lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4E4FD35D.1070403@sansz.org>
Date: Sat, 20 Aug 2011 17:31:41 +0200
From: Levente Peres <sheridan@...sz.org>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Apache Killer

My findings, hope it helps... Properly configured HAProxy with queue 
management and per-server limits can dampen the effects quite drastically.

In my testing (three low-end SunFire servers and a LB) an attack volume 
of well over a 1000 threads was necessary to notice any small speed 
degradation on the frontend - which triggeres anti DOS immediately if 
done from outside LAN. System immediately recovers fully when the attack 
stops, no coredumps, nothing, not even after half an hour of sustained 
attack. No crashing or unstability whatsoever happened on any servers, 
not even at 2000, but dared not to test further on a live system... If 
performed from multiple IPs or varied content etc however, a pattern 
recognition scheme would be necessary to block it I believe... Also 
tested it with a simple one-server setup with Squid as frontend before 
apache, it reported not vulnerable... Not tested any further yet.

Done on a "barefoot" apache however, it was devastating even at 100 
threads regardless the lots of RAM and quadcode setup :-(

Levente

2011.08.20. 14:31 keltezéssel, HI-TECH . írta:
> Disabling mod_gzip/mod_deflate is a workaround I guess.
>
> 2011/8/20 Moritz Naumann<security@...itz-naumann.com>:
>> On 20.08.2011 00:23 HI-TECH . wrote:
>>> (see attachment)
>>> /Kingcope
>> Works (too) well here. Are there any workarounds other than rate
>> limiting or detecting + dropping the traffic IPS-wise?
>>
>> Moritz
>>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
> ---
> avast! Antivirus: Inbound message clean.
> Virus Database (VPS): 110819-1, 2011.08.19
> Tested on: 2011.08.20. 14:32:33
> avast! - copyright (c) 1988-2011 AVAST Software.
> http://www.avast.com
>
>
>
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ