Mailing List Archive: Apache: Bugs

[Bug 47417] Apache Web Server 2.2.11 Incomplete HTTP Header Resource Exhaustion Vulnerability

Index | Next | Previous | View Threaded

bugzilla at apache

Jun 24, 2009, 1:39 PM

Post #1 of 5 (422 views)
Permalink

[Bug 47417] Apache Web Server 2.2.11 Incomplete HTTP Header Resource Exhaustion Vulnerability

https://issues.apache.org/bugzilla/show_bug.cgi?id=47417

Will Rowe <wrowe[at]apache.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |INVALID

--- Comment #1 from Will Rowe <wrowe[at]apache.org> 2009-06-24 13:39:38 PST ---
This is by design; see LimitRequest* directives for mitigation, especially;

http://httpd.apache.org/docs/2.2/mod/core.html#limitrequestfields

The httpd group is reviewing alternatives for timeout processing, but is
already well aware of similar complaints. In the interim, see iptables and
similar firewall tools and appliances to restrict abusive behavior patterns
at the IP and TCP layers, and LimitRequestFields etc to control the number
of headers expected by your specific environment.

--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe[at]httpd.apache.org
For additional commands, e-mail: bugs-help[at]httpd.apache.org

bugzilla at apache

Jun 24, 2009, 5:09 PM

Post #2 of 5 (391 views)
Permalink

[Bug 47417] Apache Web Server 2.2.11 Incomplete HTTP Header Resource Exhaustion Vulnerability [In reply to]

https://issues.apache.org/bugzilla/show_bug.cgi?id=47417

Nick Kew <nick[at]webthing.com> changed:

What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
Resolution|INVALID |

--- Comment #2 from Nick Kew <nick[at]webthing.com> 2009-06-24 17:09:18 PST ---
Will, with all due respect, I don't think the fact we're aware of it (and in
the wake of slowloris everyone is discussing it) invalidates a bug report
applied to current versions.

In the short term, we need to publish something on mitigation. We have yet to
do even that!

--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe[at]httpd.apache.org
For additional commands, e-mail: bugs-help[at]httpd.apache.org

bugzilla at apache

Jun 24, 2009, 10:20 PM

Post #3 of 5 (387 views)
Permalink

[Bug 47417] Apache Web Server 2.2.11 Incomplete HTTP Header Resource Exhaustion Vulnerability [In reply to]

https://issues.apache.org/bugzilla/show_bug.cgi?id=47417

Will Rowe <wrowe[at]apache.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
Status|REOPENED |RESOLVED
Resolution| |INVALID

--- Comment #3 from Will Rowe <wrowe[at]apache.org> 2009-06-24 22:20:53 PST ---
Nick;

this particular report describes the problem that arbitrary headers of some
arbitrary number (limit 100 by default) are accepted individually by httpd.
That is not a bug.

Reclosing. An appropriate bug report w.r.t. timeouts would be entirely
appropriate, and I'm sure this reporter would appreciate being cc'ed on that
particular case.

What is described here is absolutely not a bug.

--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe[at]httpd.apache.org
For additional commands, e-mail: bugs-help[at]httpd.apache.org

bugzilla at apache

Jun 25, 2009, 9:33 PM

Post #4 of 5 (380 views)
Permalink

[Bug 47417] Apache Web Server 2.2.11 Incomplete HTTP Header Resource Exhaustion Vulnerability [In reply to]

https://issues.apache.org/bugzilla/show_bug.cgi?id=47417

--- Comment #4 from sailesh_kyanam[at]fanniemae.com 2009-06-25 21:33:33 PST ---
Thanks for your feedback and insights.

Whether we call this a bug, feature or known issue - I was able to very
trivially bring down numerous Apache web servers using a modified version of
this script. I could "workaround" the issue by reducing timeout to very low
numbers (which are always not acceptable in our situation) and/or limit the
headers to unreasonably small numbers (no idea what affect this would have on
some of our more complex apps). The only realistic option I found to work
around this issue is to allocate a large number of processes and assign a large
number of threads to each process (I use mpm_worker), and then hope the the
script kiddid attacking me is not a persistent *gentleman*.

Ofcourse, there are other options such as using firewalls and IDS - both of
which are not practical in many of our use cases.

--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe[at]httpd.apache.org
For additional commands, e-mail: bugs-help[at]httpd.apache.org

bugzilla at apache

Jun 27, 2009, 4:04 PM

Post #5 of 5 (365 views)
Permalink

[Bug 47417] Apache Web Server 2.2.11 Incomplete HTTP Header Resource Exhaustion Vulnerability [In reply to]

https://issues.apache.org/bugzilla/show_bug.cgi?id=47417

Alex Legler <a3li[at]gentoo.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |a3li[at]gentoo.org

--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe[at]httpd.apache.org
For additional commands, e-mail: bugs-help[at]httpd.apache.org

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact lists@gossamer-threads.com