'Devastating' Apache bug leaves servers exposed
Devs race to fix weakness disclosed in 2007
Maintainers of the Apache webserver are racing to patch a severe weakness that allows an attacker to use a single PC to completely crash a system and was first diagnosed 54 months ago.
Attack code dubbed “Apache Killer” that exploits the vulnerability in the way Apache handles HTTP-based range requests was published Friday on the Full-disclosure mailing list. By sending servers running versions 1.3 and 2 of Apache multiple GET requests containing overlapping byte ranges, an attacker can consume all memory on a target system.
“The behaviour when compressing the streams is devastating and can end up in rendering the underlying operating system unusable when the requests are sent parallely,” Kingcope, the researcher credited with writing and publishing the proof-of-concept attack code wrote Wednesday on Apache's Bugzilla discussion list. “Symptoms are swapping to disk and killing of processes including but solely httpd processes.”
The denial-of-service attack works by abusing the routine web clients use to download only certain parts, or byte ranges, of an HTTP document from an Apache server. By stacking an HTTP header with multiple ranges, an attacker can easily cause a system to malfunction. On Wednesday morning, Apache developers said they expect to release a patch in the next 96 hours.
The Apache advisory contains several workarounds that admins can deploy in the meantime.
The susceptibility of Apache's range handling to crippling DoS attacks was disclosed in January 2007 Michal Zalewski, a security researcher who has since taken a job with Google. He said at the time that both Apache and Microsoft's competing IIS webserver were vulnerable to crippling DoS attacks because of the programs' “bizarro implementation” of range header functionality based on the HTTP/1.1 standard.
“Combined with the functionality of window scaling (as per RFC 1323)), it is my impression that a lone, short request can be used to trick the server into firing gigabytes of bogus data into the void, regardless of the server file size, connection count, or keep-alive request number limits implemented by the administrator,” Zalewski wrote. “Whoops?”
In an email to The Register on Wednesday, Zalewski wrote: “Not sure why they haven't done something about it back then, probably just haven't noticed in absence of an exploit.”
The episode challenges the conventional wisdom repeated by many proponents of open-source software that flaws in freely available software get fixed faster than in proprietary code because everyday users are free to inspect the source code and report any vulnerabilities they find. Assuming that claim is true, the four-year weakness in Apache's range-handling feature would appear to be an obvious exception.
About 235 million websites use Apache, making it the most widely used webserver with about 66 percent of the entire internet, according to figures released last month by Netcraft. IIS ranked second with more than 60 million sites, or about 17 percent.
In a statement issued several hours after this article was published, Microsoft spokesman Jerry Bryant said: "IIS 6.0 and later versions are not susceptible to this type of denial-of-service due to built in restrictions." ®
Trustwave's SpiderLabs has provided a detailed technical analysis here along with instructions for mitigating attacks using the open-source ModSecurity firewall.
"The behaviour when compressing the streams is devastating..."
-- Egon ServerAdmin: There's something very important I forgot to tell you...
-- Peter SiteDeveloper: What?
-- Egon ServerAdmin: Don't compress the streams.
-- Peter SiteDeveloper: Why?
-- Egon ServerAdmin: It would be bad.
-- Peter SiteDeveloper: I'm fuzzy on the whole "good/bad" thing. What do you mean, "bad"?
-- Egon ServerAdmin: Try to imagine all our servers as you know them stopping instantaneously, and every service running on them crashing at the speed of light.
-- Ray HelpDeskDispatcher: Total service denial!
-- Peter SiteDeveloper: Right, that's bad. Okay. Allright. Important safety tip. Thanks, Egon...
Wait, this article gets the whole thing wrong
Whilst what Michal Zalewski reported is somewhat related to this, the actual DoS is nothing to do with what he reported - it's simply the attack vector to expose the actual bug.
He reports that you can get Apache to dump massive amounts of data to the net from a simple request by requesting the entire file range over and over. His DoS threat was from setting up massive TCP windows, so httpd keeps sending data without waiting for an ack, and then silently dropping the connection. This is a DoS attack that attempts to consume all your bandwidth. There have been no successful attacks reported using this approach.
This exploit works in a completely different way. It repeatedly asks for tiny fragments of the file, as opposed to the entire contents of the same file.
Due to how httpd handles byte range requests, each byte of the response ends up as an entire brigade in the response. This leads to massive memory usage for that request.
Flood httpd with those kinds of requests, and httpd quickly consumes all the memory on the server. It is an entirely different kind of DoS attack.
So, to clarify, the bug reported 4 years ago is not the same as the bug that leads to this DoS attack. They are slightly related in terms of attack vector, but that is it. This is not a bug reported 4 years ago that is only getting fixed now, as the article makes out.
"Fragmentation abounds as far as the eyes can see"
I know, isn't it terrible? There should be One World, One Vision, One Operating System!
Everyone's needs are the same, and everyone's desires are irrelevant. The interests of the coders who develop this stuff for free need to be crushed and they must be forced to work instead on the One True Desktop Environment, or whatever.
There's even more than one web browser! Did you know there is *more than one command line shell*? Worse yet, there is more than one programming language even within the same language family! These things can be compiled for machines with totally different architectures. I ask you! Where will the madness end? THIS SORT OF DISUNITY SHOULD NOT AND WILL NOT BE TOLERATED.