Apache Killer: Server admins advised of DoS attack tool
A few hours ago Dirk-Willem van Gulik and the Apache team sent out an email advisory to the Apache mailing list warning of a widely available denial-of-service (DoS) attack tool that showed up on mainstream security disclosure lists about a week ago, although it has likely been in the wild for a lot longer than that.
The Perl script called “Apache Killer” credited to Kingcope basically exploits a vulnerability in the way httpd handles multiple overlapping ranges and leads to system memory exhaustion. When running the script it basically causes the remote system being targeted to start continuously swapping memory to the filesystem filling up the swap partition and subsequently killing off processes when it starts to run out swap space resulting in system instability.
According to Apache all versions from the deprecated 1.3 line as well as the current 2.0 line are vulnerable to attack. Thus it would appear system admins are all in the boat together on this one, and as many are aware Apache runs approximately 65% + of all web servers out there, so needless to say that’s a lot of system admins.
While those still running 1.3 are pretty much tough out of luck, Apache said there will be a patch fix expected in the next 48 hours for 2.x. If you can’t wait until then and are concerned about a DoS from this tool in that time span, then there are few steps they’ve suggested in order to try and mitigate any potential exploit. You can read those in the email quoted below.
Believe it or not, the attack vector this tool exploits is actually not new at all and apparently was first publicly pointed out over four and half years ago to Apache by Michal Zalewski who now works on security for Google.
We’ve also included a nice little example video of the attack tool in action below the quoted email.
—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1Apache HTTPD Security ADVISORY
==============================Title: Range header DoS vulnerability Apache HTTPD 1.3/2.x
CVE: CVE-2011-3192:
Date: 20110824 1600Z
Product: Apache HTTPD Web Server
Versions: Apache 1.3 all versions, Apache 2 all versionsDescription:
============A denial of service vulnerability has been found in the way the multiple
overlapping ranges are handled by the Apache HTTPD server:http://seclists.org/fulldisclosure/2011/Aug/175
An attack tool is circulating in the wild. Active use of this tools has
been observed.The attack can be done remotely and with a modest number of requests can
cause very significant memory and CPU usage on the server.The default Apache HTTPD installation is vulnerable.
There is currently no patch/new version of Apache HTTPD which fixes this
vulnerability. This advisory will be updated when a long term fix
is available.A full fix is expected in the next 48 hours.
Mitigation:
============However there are several immediate options to mitigate this issue until
a full fix is available:1) Use SetEnvIf or mod_rewrite to detect a large number of ranges and then
either ignore the Range: header or reject the request.Option 1: (Apache 2.0 and 2.2)
# Drop the Range header when more than 5 ranges.
# CVE-2011-3192
SetEnvIf Range (,.*?){5,} bad-range=1
RequestHeader unset Range env=bad-range# optional logging.
CustomLog logs/range-CVE-2011-3192.log common env=bad-rangeOption 2: (Also for Apache 1.3)
# Reject request when more than 5 ranges in the Range: header.
# CVE-2011-3192
#
RewriteEngine on
RewriteCond %{HTTP:range} !(^bytes=[^,]+(,[^,]+){0,4}$|^$)
RewriteRule .* – [F]The number 5 is arbitrary. Several 10′s should not be an issue and may be
required for sites which for example serve PDFs to very high end eReaders
or use things such complex http based video streaming.2) Limit the size of the request field to a few hundred bytes. Note that while
this keeps the offending Range header short – it may break other headers;
such as sizeable cookies or security fields.LimitRequestFieldSize 200
Note that as the attack evolves in the field you are likely to have
to further limit this and/or impose other LimitRequestFields limits.See: http://httpd.apache.org/docs/2.2/mod/core.html#limitrequestfieldsize
3) Use mod_headers to completely dis-allow the use of Range headers:
RequestHeader unset Range
Note that this may break certain clients – such as those used for
e-Readers and progressive/http-streaming video.4) Deploy a Range header count module as a temporary stopgap measure:
http://people.apache.org/~dirkx/mod_rangecnt.c
Precompiled binaries for some platforms are available at:
http://people.apache.org/~dirkx/BINARIES.txt
5) Apply any of the current patches under discussion – such as:
http://mail-archives.apache.org/mod_mbox/httpd-dev/201108.mbox/%3cCAAPSnn2PO-d-C4nQt_TES2RRWiZr7urefhTKPWBC1b+K1Dqc7g@mail.gmail.com%3e
Actions:
========Apache HTTPD users who are concerned about a DoS attack against their server
should consider implementing any of the above mitigations immediately.When using a third party attack tool to verify vulnerability – know that most
of the versions in the wild currently check for the presence of mod_deflate;
and will (mis)report that your server is not vulnerable if this module is not
present. This vulnerability is not dependent on presence or absence of
that module.Planning:
=========This advisory will be updated when new information, a patch or a new release
is available. A patch or new apache release for Apache 2.0 and 2.2 is expected
in the next 48 hours. Note that, while popular, Apache 1.3 is deprecated.—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.11 (Darwin)iEYEARECAAYFAk5VI+MACgkQ/W+IxiHQpxsz4wCgipR6nQmd45hAgFmI/8dHULLF
BtoAmQGsi2efZKibpaSMI+aCt8fQgWgS
=11BG
—–END PGP SIGNATURE—–
“Believe it or not, the bug this attack tool exploits is actually not new at all and apparently was first publicly pointed out over four and half years ago to Apache by Michal Zalewski”
Actually it’s not, it’s just the same vector:
http://seclists.org/fulldisclosure/2011/Aug/274
@pgl you are correct. It was very late (or early should I say) when I wrote that bit and didn’t really have the time to proof read it fully as I would have liked to so it was poorly worded to say the least. I apologize for that. Thanks for drawing it to my attention though, I appreciate it.
Still no patch yet although it is said one will be out within the next 24 hrs but another update (#2) from Dirk-Willem van Gulik has just been sent out which I’ve quoted verbatim and re-posted below for those who are interested. Apparently the ‘Range-Request’ header is also affected as you can plainly read below.
So is there any update on this? Has the fix been released yet? I’ve still not heard anything.
@Paul yes the patch has been out since yesterday, on time just like the Apache team said it would be.