Grave apache dos possible through byterange requests

To: debian-security@lists.debian.org
Subject: Grave apache dos possible through byterange requests
From: Dirk Hartmann <dha@morticah.net>
Date: Wed, 24 Aug 2011 08:53:00 +0200
Message-id: <[🔎] CAEPFx+p6u0qUXYsxD9qfDOUFhPbMAcuqutydc+x5P0OhO5=1wg@mail.gmail.com>

Hi,

it is possible to dos a actual squeeze-apache2 with easy to forge rage-requests:

http://lists.grok.org.uk/pipermail/full-disclosure/2011-August/082299.html

Apache-devs are working on a solution:

http://www.gossamer-threads.com/lists/apache/dev/401638

But because the situation seems serious I thought I give you a heads up.

Running this script against a squeeze machine with 8 Cores and 24GB Ram you only need 200 threads to kick it out of memory.

Cheers

Dirk

Reply to:

Follow-Ups:
- Re: Grave apache dos possible through byterange requests
  - From: Carlos Alberto Lopez Perez <clopez@igalia.com>
- Re: Grave apache dos possible through byterange requests
  - From: Rolf Kutz <rk@vzsze.de>

Prev by Date: Re: [SECURITY] [DSA 2267-1] perl security update
Next by Date: Re: Grave apache dos possible through byterange requests
Previous by thread: Re: [SECURITY] [DSA 2267-1] perl security update
Next by thread: Re: Grave apache dos possible through byterange requests
Index(es):
- Date
- Thread