* Dirk-WIllem van Gulik: > On 24 Aug 2011, at 13:43, Florian Weimer wrote: > >> * Dirk-WIllem van Gulik: >> >>> Hmm - when I remove mod_deflate (i.e. explicitly as it is the default >>> in all our installs) and test on a / entry which is a static file >>> which is large (100k)* - then I cannot get apache on its knees on a >>> freebsd machine - saturating the 1Gbit connection it has (Note: the >>> attack machines *are* getting saturated). The moment i put in >>> mod_deflate, mod_external filter, etc - it is much easier to get >>> deplete enough resources to notice. >> >> Oh. Have you checked memory usage on the server? > > I had not - and you are right - quite high. I also tried it on a > Ubuntu machine - and that one dies right out of the gate - regardless > as to wether deflate is on- or off.
It seems that this reflects different approaches to memory overcommitment. I didn't see any crashes with vm.overcommit_memory=2 on Linux, either. I wouldn't mention this in the advisory, though, because even if no critical process is terminated due to the out-of-memory condition, thrashing could still push the system beyond the point of recovery. Including the increased memory usage in the adviosry, as a potential attack indicator, would make sense, IMHO. -- Florian Weimer <fwei...@bfk.de> BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstraße 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99
