[BlueOnyx:08235] Re: Apache DoS exploit kit

Michael Stauber mstauber at blueonyx.it
Wed Aug 24 23:34:34 -05 2011 

Hi Ernie,

> I just noticed that Apache are warning about a DoS exploit tool that's
> curculating around the Internet:
> 
> http://www.computerworld.com/s/article/9219471/Apache_warns_Web_server_admi
> ns_of_DoS_attack_tool
> 
> Is the Apache on BlueOnyx vunerable?

I just checked:

BlueOnyx 5106R:

]# ./killapache.pl 5106r.smd.net 50
Host does not seem vulnerable

BlueOnyx 5107R:

]# ./killapache.pl devel6.blueonyx.it 50
Host does not seem vulnerable

Then I tested it against a BlueQuartz box:

[root at 5107r ~]# ./killapache.pl minimax.smd.net 50
host seems vuln
ATTACKING minimax.smd.net [using 50 forks]
:pPpPpppPpPPppPpppPp
ATTACKING minimax.smd.net [using 50 forks]
[...]

I had "top" running on the target box (a VPS in the same network as the host 
from which I ran the attack) and the result was quite disheartening:

top - 00:20:15 up 21 days, 12:47,  1 user,  load average: 24.07, 10.64, 4.15
Tasks:  71 total,  30 running,  41 sleeping,   0 stopped,   0 zombie
Cpu(s): 94.6% us,  0.6% sy,  0.0% ni,  4.8% id,  0.0% wa,  0.0% hi,  0.0% si
Mem:   4000000k total,   923668k used,  3076332k free,        0k buffers
Swap:        0k total,        0k used,        0k free,        0k cached

  PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND                                                                                                                                                                         
12248 apache    15   0 42700  24m 1552 R 18.6  0.6   0:06.75 httpd                                                                                                                                                                           
 5597 apache    16   0 42700  24m 1552 R 16.3  0.6   0:25.74 httpd                                                                                                                                                                           
22109 apache    16   0 42700  24m 1556 R 16.3  0.6   0:25.29 httpd                                                                                                                                                                           
 5712 apache    16   0 42700  24m 1552 R 16.0  0.6   0:26.28 httpd                                                                                                                                                                           
22110 apache    15   0 42700  24m 1556 R 16.0  0.6   0:26.14 httpd                                                                                                                                                                           
22102 apache    15   0 42700  24m 1556 R 15.7  0.6   0:26.07 httpd                                                                                                                                                                           
27669 apache    15   0 42700  24m 1552 R 15.3  0.6   0:14.46 httpd                                                                                                                                                                           
32302 apache    15   0 42700  24m 1552 R 14.7  0.6   0:09.61 httpd                                                                                                                                                                           
 5493 apache    15   0 42700  24m 1552 R 14.3  0.6   0:26.32 httpd                                                                                                                                                                           
 9521 apache    16   0 42700  24m 1552 R 14.3  0.6   0:21.57 httpd                                                                                                                                                                           
22101 apache    16   0 42700  24m 1556 R 14.3  0.6   0:25.45 httpd                                                                                                                                                                           
22106 apache    15   0 42700  24m 1556 R 14.3  0.6   0:25.38 httpd                                                                                                                                                                           
 5711 apache    16   0 42700  24m 1552 R 13.0  0.6   0:25.09 httpd                                                                                                                                                                           
17921 apache    16   0 42700  24m 1552 R 13.0  0.6   0:03.40 httpd                                                                                                                                                                           
22107 apache    16   0 42700  24m 1556 R 13.0  0.6   0:26.61 httpd                                                                                                                                                                           
28594 apache    16   0 42700  24m 1552 R 13.0  0.6   0:12.39 httpd                                                                                                                                                                           
 5709 apache    15   0 42700  24m 1552 R 12.4  0.6   0:25.23 httpd                                                                                                                                                                           
 5710 apache    15   0 42700  24m 1552 R 12.4  0.6   0:25.57 httpd                                                                                                                                                                           
22108 apache    15   0 42700  24m 1556 R 12.4  0.6   0:26.93 httpd                                                                                                                                                                           
13377 apache    15   0 42700  24m 1552 R 12.1  0.6   0:05.86 httpd                                                                                                                                                                           
 9262 apache    15   0 42700  24m 1552 R 11.7  0.6   0:23.19 httpd                                                                                                                                                                           
11728 apache    15   0 42700  24m 1552 R 11.7  0.6   0:20.26 httpd                                                                                                                                                                           
12147 apache    16   0 42700  24m 1552 R 11.4  0.6   0:06.45 httpd                                                                                                                                                                           
13376 apache    16   0 42700  24m 1552 R 11.4  0.6   0:05.98 httpd                                                                                                                                                                           
22104 apache    15   0 42700  24m 1556 R 11.1  0.6   0:25.33 httpd                                                                                                                                                                           
22100 apache    16   0 42700  24m 1556 R 10.8  0.6   0:25.82 httpd                                                                                                                                                                           
13374 apache    16   0 42700  24m 1552 R  8.8  0.6   0:06.34 httpd 

Summary:
========

BlueOnyx is *not* affected by this vulnerability.

BlueQuartz *is* affected by this vulnerability. 

In my tests the attacked BlueQuartz (with a stock BlueQuartz Apache 
configuration!) didn't run out of memory and crash. Even when I hammered it 
with 5000 forks each from four attacking hosts (instead of just 50 forks from 
a single attacking host). But even a small scale attack from a single host 
drove the server load of the attacked BlueQuartz to a level where it reacted 
VERY sluggishly and where it affected all services to a point that usability 
dropped almost to zero.

Temporary work around for BlueQuartz boxes (NOT NEEDED ON BlueOnyx!!!):
=============================================================

Edit each and any (!) /etc/httpd/conf/vhosts/site*.include files and drop the 
following three lines into each:

RewriteEngine On
RewriteCond %{HTTP:Range} bytes=0-.* [NC]
RewriteRule .? http://%{SERVER_NAME}/ [R=302,L]

Then restart Apache:

/etc/init.d/httpd restart

This hotfix isn't perfect, as it possibly may still be hit by some variants of 
this attack. But it should stop the script kiddies for now until a more 
permanent fix can be applied.

By the way: I'm REALLY curious how long it will take the CentOS team to 
release an updated Apache for CentOS4.

-- 
With best regards

Michael Stauber
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20110825/2f4abdff/attachment.html>

More information about the Blueonyx mailing list