apache DOS tool

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

apache DOS tool

Peter van Oord van der Vlies-2
Hi,

Today i some pages are publishing news about a apache DOS tool for example
(http://isc.sans.org/diary.html?storyid=6601) and
http://ha.ckers.org/blog/20090617/slowloris-http-dos/

Does this applies to the openbsd apache to ?

Peter

Reply | Threaded
Open this post in threaded view
|

Re: apache DOS tool

Richard Toohey
On 20/06/2009, at 8:24 AM, Peter van Oord van der Vlies wrote:

> Hi,
>
> Today i some pages are publishing news about a apache DOS tool for  
> example (http://isc.sans.org/diary.html?storyid=6601) and http://
> ha.ckers.org/blog/20090617/slowloris-http-dos/
>
> Does this applies to the openbsd apache to ?
>
> Peter


Looks like it is old ...

http://marc.info/?l=apache-httpd-bugs&m=124533720717343&w=2

And advice here ...

http://httpd.apache.org/docs/trunk/misc/security_tips.html#dos

(Yes, I appreciate that it doesn't directly answer your question,
but might help someone ...)

Reply | Threaded
Open this post in threaded view
|

Re: apache DOS tool

Aiko Barz-3
On Mon, Jun 22, 2009 at 08:31:01PM +1200, Richard Toohey wrote:

> On 20/06/2009, at 8:24 AM, Peter van Oord van der Vlies wrote:
>
>> Hi,
>>
>> Today i some pages are publishing news about a apache DOS tool for  
>> example (http://isc.sans.org/diary.html?storyid=6601) and http://
>> ha.ckers.org/blog/20090617/slowloris-http-dos/
>>
>> Does this applies to the openbsd apache to ?
>>
>> Peter
>
>
> Looks like it is old ...
>
> http://marc.info/?l=apache-httpd-bugs&m=124533720717343&w=2
>
> And advice here ...
>
> http://httpd.apache.org/docs/trunk/misc/security_tips.html#dos
>
> (Yes, I appreciate that it doesn't directly answer your question,
> but might help someone ...)

Nope, this does not help at all. Reducing the Timeout helps for a
second. But reducing the timeout in slowloris.pl too, makes the apache
unreachable within seconds again.

Havent't testet OpenBSD's Apache-1.3 so far. But the only thing, that
helps currently IMHO, is to limit the number of established connections
per IP. So, one client is not able to block all the available apache
processes (threads) anymore.

So long,
    Aiko
--
:wq b

Reply | Threaded
Open this post in threaded view
|

Re: apache DOS tool

Richard Toohey
On 22/06/2009, at 9:25 PM, Aiko Barz wrote:

> On Mon, Jun 22, 2009 at 08:31:01PM +1200, Richard Toohey wrote:
>> On 20/06/2009, at 8:24 AM, Peter van Oord van der Vlies wrote:
>>
>>> Hi,
>>>
>>> Today i some pages are publishing news about a apache DOS tool for
>>> example (http://isc.sans.org/diary.html?storyid=6601) and http://
>>> ha.ckers.org/blog/20090617/slowloris-http-dos/
>>>
>>> Does this applies to the openbsd apache to ?
>>>
>>> Peter
>>
>>
>> Looks like it is old ...
>>
>> http://marc.info/?l=apache-httpd-bugs&m=124533720717343&w=2
>>
>> And advice here ...
>>
>> http://httpd.apache.org/docs/trunk/misc/security_tips.html#dos
>>
>> (Yes, I appreciate that it doesn't directly answer your question,
>> but might help someone ...)
>
> Nope, this does not help at all. Reducing the Timeout helps for a
> second. But reducing the timeout in slowloris.pl too, makes the apache
> unreachable within seconds again.
>
> Havent't testet OpenBSD's Apache-1.3 so far. But the only thing, that
> helps currently IMHO, is to limit the number of established
> connections
> per IP. So, one client is not able to block all the available apache
> processes (threads) anymore.
>
> So long,
>     Aiko
> --
> :wq b

By "help" I also meant "explain" - not "here's a fix" ... the top
link I posted said this:

<quote>Every network application is affected by such attacks, this is
a protocol
level issue.  It occurs at the network layer, not the application layer,
as demonstrated by the fact that AcceptFilter in httpd has no impact on
the attack.

The solution, like the problem, lies in the network layer.  See iptables
and similar network stack filters to provide protection against this
vector.</unquote>

Seems like they (and you) are saying are Apache is not the place for
the fix?

Enough from me ...

Reply | Threaded
Open this post in threaded view
|

Re: apache DOS tool

Aiko Barz-3
On Mon, Jun 22, 2009 at 09:32:56PM +1200, Richard Toohey wrote:
> The solution, like the problem, lies in the network layer.  See iptables
> and similar network stack filters to provide protection against this  
> vector.</unquote>
>
> Seems like they (and you) are saying are Apache is not the place for the
> fix?

The apache would be the right place to fix the issue IMHO since other
webservers are not affected that much. Maybe something like not counting
an unfinished request as an active workerthread. But this is up to the
people who know the program internals, which I don't.

So long,
    Aiko
--
:wq b

Reply | Threaded
Open this post in threaded view
|

Re: apache DOS tool

Jonas Thambert
Aiko Barz wrote:

> On Mon, Jun 22, 2009 at 09:32:56PM +1200, Richard Toohey wrote:
>> The solution, like the problem, lies in the network layer.  See iptables
>> and similar network stack filters to provide protection against this  
>> vector.</unquote>
>>
>> Seems like they (and you) are saying are Apache is not the place for the
>> fix?
>
> The apache would be the right place to fix the issue IMHO since other
> webservers are not affected that much. Maybe something like not counting
> an unfinished request as an active workerthread. But this is up to the
> people who know the program internals, which I don't.
>
> So long,
>     Aiko

This is more intresting:

http://www.phrack.com/issues.html?issue=66&id=9#article

//Jonas

Reply | Threaded
Open this post in threaded view
|

Re: apache DOS tool

John Wright-6
On Mon, Jun 22, 2009 at 04:36:58PM +0200, Jonas Thambert wrote:

> Aiko Barz wrote:
> > On Mon, Jun 22, 2009 at 09:32:56PM +1200, Richard Toohey wrote:
> >> The solution, like the problem, lies in the network layer.  See iptables
> >> and similar network stack filters to provide protection against this  
> >> vector.</unquote>
> >>
> >> Seems like they (and you) are saying are Apache is not the place for the
> >> fix?
> >
> > The apache would be the right place to fix the issue IMHO since other
> > webservers are not affected that much. Maybe something like not counting
> > an unfinished request as an active workerthread. But this is up to the
> > people who know the program internals, which I don't.
> >
> > So long,
> >     Aiko
>
> This is more intresting:
>
> http://www.phrack.com/issues.html?issue=66&id=9#article
>
> //Jonas
>

That looks like much lower level TCP timer stuff whereas the slowloris DOS
can be replicated with telnet or netcat.