You can legitimately ask for hundreds of very large overlapping parts of a file ina single request. ... A relatively modest number of requests can tie a server's CPU and memory inknots.
Mark Stockley, Web Consultant, Sophos
A new version of the Apache open source Web server, which runs 65% of the worlds websites, hasbeen issued to disable a vulnerability that exposed it to a potential distributed denial-of-service(DDoS) attack.
In an Aug. 31 announcement,, the Apache Software Foundation and the Apache HTTP Server Project said they had released version2.2.20 of the Apache HTTP Server in order to fix the flaw, identified last week. We consider thisrelease to be the best version of Apache available, and encourage users of all prior versions toupgrade, the announcement said.
The new version was produced quickly because a tool that exploits the vulnerability(CVE-2011-31092 at cve.mitre.org) was identified in the wild.
Sophos Web Consultant Mark Stockley wrote on the Sophos Labs Naked Security blog that thevulnerability would allow attackers to mount an ApacheDDoS attack without having masses of computing firepower at their disposal.
The vulnerability can be exploited by a feature in Web servers that allows users to pause andresume their downloads. As Stockley described it: You can legitimately ask for hundreds ofvery large overlapping parts of a file in a single request. Enough parts that a relativelymodest number of requests can tie a server's CPU and memory in knots.
He noted this is partly due to a weakness in the HTTP protocol, meaning other Web servers mightalso be vulnerable.
The new version of Apache reduces the amount of memory used by range requests, and, if the totalbytes of a file requested exceed the total file size, httpd (the Apache HTTP daemon that monitorsincoming requests) will return the entire file.
Network administrators are strongly advised to update their systems immediately. Also writing onthe Sophos blog, Senior Security Advisor Chester Wisniewski observed: Many Linux and Unixadministrators set and forget their installations and never bother to look after their servers.The Apache team should be applauded for testing and releasing an important security fix so quickly.Now it is up to you, the IT administrators, who are using Apache to follow through and apply thesefixes.
0 comments:
Post a Comment