Re: Apache DOS, help needed

2002-10-18 Thread Martin Blapp 

Hi all,

In the meantime I've found some datapoints. This is a slapper DOS
attack, a linux work which has been modified to kill apaches or
to take them down.

All apaches (also 1.27) are vulnerable. It hammers the server till
all slots are filled, and then the apache server is not able to serve
any customers anymore until these requests timeout.

http://groups.google.com/groups?q=worm+apache+DOS+slapper&hl=en&lr=&ie=UTF-8&oe=UTF-8&selm=3ebd7d0b.0210142024.75d362b6%40posting.google.com&rnum=5

http://groups.google.com/groups?q=worm+apache+DOS+slapper&hl=en&lr=&ie=UTF-8&oe=UTF-8&selm=3ebd7d0b.0210142024.75d362b6%40posting.google.com&rnum=5

And this was proposed as fast fix:

# AWB - another attempt to keep apache from being DOS'd by slapper
ServerTokens ProductOnly
ServerSignature Off

Beside that DOS, I'm able to block apache with just a telnet and a perl
script.

I'd consider this as severe DOD vulnerability.

Martin

Martin Blapp, <[EMAIL PROTECTED]> <[EMAIL PROTECTED]>
--
ImproWare AG, UNIXSP & ISP, Zurlindenstrasse 29, 4133 Pratteln, CH
Phone: +41 061 826 93 00: +41 61 826 93 01
PGP: 
PGP Fingerprint: B434 53FC C87C FE7B 0A18 B84C 8686 EF22 D300 551E
--



To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message

Apache DOS, help needed

2002-10-18 Thread Martin Blapp 

Hi,

I'm using apache 1.27 with recent modssl. I'm not vulnerable to this bug.

But I see from time to time large scans, which have the symptoms of this
worm.

All my FreeBSD childs get used and are waiting in a queue and the server gets
unresponsive for 5-6 mins.

I set correctly limits:

RLimitNPROC 25
RLimitMEM 4000
RLimitCPU 5

But in this case, RLimitNPROC seems not to work :P

I also tried mod_throttle, but it does also not help in this case because
all connections are made at the same time and they timeout 180 seconds later.

[Fri Oct 18 05:51:43 2002] [error] [client 202.131.107.1] client sent HTTP/1.1
request witho
ut hostname (see RFC2616 section 14.23): /
[Fri Oct 18 05:51:43 2002] [error] [client 202.131.107.1] client sent HTTP/1.1
request witho
ut hostname (see RFC2616 section 14.23): /
[Fri Oct 18 05:51:43 2002] [error] [client 202.131.107.1] client sent HTTP/1.1
request witho
ut hostname (see RFC2616 section 14.23): /
Min/MaxSpareServers), spawning 32 children, there are 0 idle, and 502 total children
[Fri Oct 18 05:51:48 2002] [error] server reached MaxClients setting, consider raising 
the M
axClients setting
[Fri Oct 18 05:54:26 2002] [info] [client 202.131.107.1] read request line timed
out
[Fri Oct 18 05:54:26 2002] [info] [client 202.131.107.1] read request line timed
out
[Fri Oct 18 05:54:26 2002] [info] [client 202.131.107.1] read request line timed
out
[Fri Oct 18 05:54:26 2002] [info] [client 202.131.107.1] read request line timed
out
[Fri Oct 18 05:54:29 2002] [info] [client 202.131.107.1] read request line timed
out

And so on.

Has someone a quick fix for this or a idea ?

Martin Blapp, <[EMAIL PROTECTED]> <[EMAIL PROTECTED]>
--
ImproWare AG, UNIXSP & ISP, Zurlindenstrasse 29, 4133 Pratteln, CH
Phone: +41 061 826 93 00: +41 61 826 93 01
PGP: 
PGP Fingerprint: B434 53FC C87C FE7B 0A18 B84C 8686 EF22 D300 551E
--


To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message