>Number: 1608 >Category: general >Synopsis: Sending loads of /'s in a request can eventually bring system >to crawl. >Confidential: no >Severity: serious >Priority: medium >Responsible: apache >State: open >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Tue Dec 30 08:50:01 PST 1997 >Last-Modified: >Originator: [EMAIL PROTECTED] >Organization: apache >Release: 1.2.x (1.2.4 has hole) >Environment: This happens for all of the Apaches 1.2.0 or later, tested on Linux 2.0.33, iE86, GCC 2.7.2. (Cyrix 6x86L PR166+ Linux system, 16mb EDO RAM, 4.7GB EIDE Western Digital Harddrive). Personally tested on 1.2.0, rumored to work on all Apache's to 1.2.4. No problem has been seen or attempted to be fixed. >Description: If you use a program posted to bugtraq today, you can effectivley bring a box to it's knees using the program. This program sends repeated requests with lots of /'s. This isn't a real bug in Apache, but it takes a few seconds to have it think about the problem. If these requests are sent in a loop, the box will gradually slow down and come to almost a stop. Below is some system stats for my machine about 15 seconds after I stopped the attack.
PID USER PRI NI SIZE RES SHRD STAT %CPU %MEM TIME COMMAND 206 www 17 0 1212 600 388 R 21.4 4.0 0:04 /usr/local/etc/httpd 65 www 16 0 1264 692 404 R 21.2 4.7 0:11 /usr/local/etc/httpd 197 www 17 0 1236 616 380 R 21.1 4.1 0:05 /usr/local/etc/httpd 11:54am up 52 min, 2 users, load average: 2.27, 0.95, 0.34 Linux gashalot 2.0.33 #1 Mon Dec 29 16:56:27 EST 1997 iE86 Tue Dec 30 11:54:28 EST 1997 >How-To-Repeat: View the bugtraq article and use his program. You may download the files to create the crash at www.gashalot.com/beck.zip , this way you can download it yourself (it is private, since I don't think that anyone else should have this bug. >Fix: Patch in something looking for more than 3 /'s in a row. If a user is typning 3 /'s in a row, simply spit back a message telling him to take out some of the /'s. Never are 3 /'s in a row justified, or needed. This way the server just appears to have heavy traffic when attacked >Audit-Trail: >Unformatted: [In order for any reply to be added to the PR database, ] [you need to include <[EMAIL PROTECTED]> in the Cc line ] [and leave the subject line UNCHANGED. This is not done] [automatically because of the potential for mail loops. ]
