RE: DoS attack on mod_ssl 2.8.12 ??
There is a major thread running on the openssl list about this very thing (Slapper worm)... Starts here: http://www.mail-archive.com/openssl-users@openssl.org/msg29762.html Rgds, Owen Boyle -Original Message- From: Sergey Strakhov [mailto:[EMAIL PROTECTED]] Sent: Donnerstag, 19. Dezember 2002 17:04 To: [EMAIL PROTECTED] Cc: Pedro Nascimento; Greg Davydouski Subject: DoS attack on mod_ssl 2.8.12 ?? Hello, We are experiencing problems with our Win32 Apache 1.3.27 with mod_ssl 2.8.12 + openssl 0.9.6g running on Windows 2000. It is a sort of DoS attack that makes our web site totally inaccessible. One of those attacks was captured with Ethereal. The dump is attached. As you can see, the attack is accomplished through both HTTP (80) and HTTPS (443) ports. First, the connection is opened to the HTTP port and a malformed HTTP/1.1 GET request (with no Host: header) is sent to the HTTP port (probably with an intention to produce a crash described in http://www.cert.org/advisories/CA-2002-27.html or just to determine the host's Server version). The server responds with HTTP/1.1 400 Bad request and closes the connection. After that the attacker starts opening connections to the HTTPS port. One of them is used to send SSLv2 Client Hello request. From this point the web server starts rejecting all incoming connections and the web site stops responding on both HTTP and HTTPS ports. The error log usually contains records like: [..time..] [error] [client ..] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): / [..time..] [error] Server ran out of threads to serve requests. Consider raising the ThreadsPerChild setting Is this problem related to mod_ssl anyhow? Do you expect any fix for this problem soon? Regards P.S. We have the ThreadsPerChild parameter of httpd.conf set to 10. This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: DoS attack on mod_ssl 2.8.12 ??
I have heard from several sources Apache version 1.x for Windows does not thread very well. The first real Win32 version is Apache 2.0. This does not answer your question, I know, but it's something to consider in formulating a long-term solution. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Sergey Strakhov Sent: Thursday, December 19, 2002 8:04 AM To: [EMAIL PROTECTED] Cc: Pedro Nascimento; Greg Davydouski Subject: DoS attack on mod_ssl 2.8.12 ?? Hello, We are experiencing problems with our Win32 Apache 1.3.27 with mod_ssl 2.8.12 + openssl 0.9.6g running on Windows 2000. It is a sort of DoS attack that makes our web site totally inaccessible. One of those attacks was captured with Ethereal. The dump is attached. As you can see, the attack is accomplished through both HTTP (80) and HTTPS (443) ports. First, the connection is opened to the HTTP port and a malformed HTTP/1.1 GET request (with no Host: header) is sent to the HTTP port (probably with an intention to produce a crash described in http://www.cert.org/advisories/CA-2002-27.html or just to determine the host's Server version). The server responds with HTTP/1.1 400 Bad request and closes the connection. After that the attacker starts opening connections to the HTTPS port. One of them is used to send SSLv2 Client Hello request. From this point the web server starts rejecting all incoming connections and the web site stops responding on both HTTP and HTTPS ports. The error log usually contains records like: [..time..] [error] [client ..] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): / [..time..] [error] Server ran out of threads to serve requests. Consider raising the ThreadsPerChild setting Is this problem related to mod_ssl anyhow? Do you expect any fix for this problem soon? Regards P.S. We have the ThreadsPerChild parameter of httpd.conf set to 10. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: DoS attack on mod_ssl 2.8.12 ??
On Thu, 2002-12-19 at 11:03, Sergey Strakhov wrote: Hello, We are experiencing problems with our Win32 Apache 1.3.27 with mod_ssl 2.8.12 + openssl 0.9.6g running on Windows 2000. It is a sort of DoS attack that makes our web site totally inaccessible. One of those attacks was captured with Ethereal. The dump is attached. As you can see, the attack is accomplished through both HTTP (80) and HTTPS (443) ports. First, the connection is opened to the HTTP port and a malformed HTTP/1.1 GET request (with no Host: header) is sent to the HTTP port (probably with an intention to produce a crash described in http://www.cert.org/advisories/CA-2002-27.html or just to determine the host's Server version). The server responds with HTTP/1.1 400 Bad request and closes the connection. After that the attacker starts opening connections to the HTTPS port. One of them is used to send SSLv2 Client Hello request. From this point the web server starts rejecting all incoming connections and the web site stops responding on both HTTP and HTTPS ports. The error log usually contains records like: [..time..] [error] [client ..] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): / [..time..] [error] Server ran out of threads to serve requests. Consider raising the ThreadsPerChild setting Is this problem related to mod_ssl anyhow? Do you expect any fix for this problem soon? Regards P.S. We have the ThreadsPerChild parameter of httpd.conf set to 10. Your code is very much out of date ... it is exploitable and DOSable I saw many people in the summer describe similar reports as yours, prompting me to build Apache binaries for many of those that were suffering. You cannot continue to run with openssl 0.9.6g -- openssl 0.9.6h is the current version. My advice is do not waste your time trying to understand it. You can get reliable up-to-date binaries from me ;) Other people are downloading the binaries as well. http://hunter.campbus.com/ Apache_1.3.27-Mod_SSL_2.8.11-OpenSSL_0.9.6h-Win32.zip http://hunter.campbus.com/Openssl-0.9.6h-Win32.zip http://hunter.campbus.com/Apache_2.0.43-OpenSSL_0.9.6h-Win32.zip You can also get them from my server ... md5's are avaialble from my server as well. http://tor.ath.cx/~hunter/ Apache_1.3.27-Mod_SSL_2.8.11-OpenSSL_0.9.6h-Win32.zip http://tor.ath.cx/~hunter/Openssl-0.9.6h-Win32.zip http://tor.ath.cx/~hunter/Apache_2.0.43-OpenSSL_0.9.6h-Win32.zip You are welcome to contac me directly h u n t e r @ t o r . a t h . c x If you need instructions on how to rebuild the code, I have to look for them - they are messy (for Apache2) and can be found in the archives - search for 'apache hunter masm' -- apache 1.3.27 is easy to build let me know if you need help. hunter __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
