Re: Grave apache dos possible through byterange requests
On 24/08/11 08:53 +0200, Dirk Hartmann wrote:
it is possible to dos a actual squeeze-apache2 with easy to forge
rage-requests:
http://lists.grok.org.uk/pipermail/full-disclosure/2011-August/082299.html
Apache-devs are working on a solution:
http://www.gossamer-threads.com/lists/apache/dev/401638
But because the situation seems serious I thought I give you a heads up.
Running this script against a squeeze machine with 8 Cores and 24GB Ram you
only need 200 threads to kick it out of memory.
There is an advisory that recommends some
workarounds, depending on the needs of your
specific site:
http://mail-archives.apache.org/mod_mbox/httpd-announce/201108.mbox/%3C20110824161640.122D387DD@minotaur.apache.org%3E
regards
Rolf
--
I never let my schooling get in the way of my education. — Mark Twain
Reply to: