Navigation
Next Steps
This form does not yet contain any fields.
    IT Security Incident DB, Australia/NZ
    « MS REMOTE DESKTOP PROTOCOL SHREDDED (MS12-020) | Main | Writing Firesheep Scripts »
    Wednesday
    Aug242011

    Research - Apache DoS Exploit, Partial Content 

    During the weekend Kingcope released an exploit "Apache Killer" for Apache Web Servers on the Full Disclosure message board. The vulnerability takes advantage of a feature called "Partial Content" that allows Apache Sites which support it, to be DoS in many cases. 

    Apache Killer works by sending partial content requests to Apache httpd. These requests cause the daemon to swap memory to the filesystem, and with enough requests, exhausts the server of its resources.

    We did some testing for some of our customers and confirmed that it worked very well with little resources (3G connection was used during the testing to DoS a site).

    We edited the exploit script and removed the DoS payload and then used it determine how many sites could be affected.  By running this across the Alexa Top 1000 sites for Australia we identified that 91 were possibly vulnerable. Similarly on the ASX 200 List 26 organisations were likely to be vulnerable.

    To mitigate against this in one instance where no other controls were possible (As in a shared hosting environment) an IP tables rule was used to defend against it. However any firewall, WAF or IPS could be configured to prevent this attack.

    To test your susceptibility to this attack you could run curl with the following to determine if Partial Content is supported on your Apache Site;

    curl -H "Range:bytes=1-" -I http://target.com | grep Partial

    A patch for adding support to turn off Partial Content was also found here with a quick google 

    http://wejn.org/stuff/apache-partial-content-new.diff.html

    Also someone else has posted this video of the DoS in action (albeit in a test environment)

    http://www.youtube.com/watch?v=fkCQZaVjBhA