BugTraq
a cheesy Apache / IIS DoS vuln (+a question) Jan 03 2007 11:27PM
Michal Zalewski (lcamtuf dione ids pl) (4 replies)
Re: a cheesy Apache / IIS DoS vuln (+a question) Jan 05 2007 08:45AM
bugtraq (bugtraq securityfocus lists bitrouters com) (1 replies)
Re: a cheesy Apache / IIS DoS vuln (+a question) Jan 09 2007 06:15AM
William A. Rowe, Jr. (wrowe rowe-clan net) (1 replies)
Re: a cheesy Apache / IIS DoS vuln (+a question) Jan 10 2007 10:04AM
bugtraq (bugtraq securityfocus lists bitrouters com)
Re: a cheesy Apache / IIS DoS vuln (+a question) Jan 04 2007 12:36PM
Siim Põder (windo p6drad-teel net)
Re: a cheesy Apache / IIS DoS vuln (+a question) Jan 04 2007 11:45AM
Pieter de Boer (pieter thedarkside nl) (1 replies)
Re: a cheesy Apache / IIS DoS vuln (+a question) Jan 04 2007 06:47PM
Rob Sherwood (capveg cs umd edu)
Re: a cheesy Apache / IIS DoS vuln (+a question) Jan 04 2007 05:35AM
William A. Rowe, Jr. (wrowe rowe-clan net) (2 replies)
Michal Zalewski wrote:
> I feel silly for reporting this, but I couldn't help but notice that
> Apache and IIS both have a bizarro implementation of HTTP/1.1 "Range"
> header functionality (as defined by RFC 2616). Their implementations allow
> the same fragment of a file to be requested an arbitrary number of times,
> and each redundant part to be received separately in a separate
> multipart/byteranges envelope.

Batten down the hatches!

> (An example would be an "old-fashioned" attack on a server that happens
> to host multi-gigabyte ISO files or movies - simply request them
> many times and let window scaling do the rest... of course, most
> high-profile sites are smart enough to host static HTML and basic layout
> elements separately from such bandwidth-intensive and non-essential
> content, so it still makes sense to take note of "Range" behavior).

Seriously, HTTP pipelining can accomplish EXACTLY the same thing with minimal
pain. If you have an issue with this behavior, of HTTP, then you have an
issue with the behavior under FTP or a host of other protocols. And as you
say, simple enough to find some 1.5mb pdf's. But you expect 1gb window sizes
to actually succeed?

In 95% of the cases that follow your comment above, although the load may
be often be distributed between boxes based on computational intensity, it
is nearly always shoved down the same pipe in the end.

> Combined with the functionality of window scaling (as per RFC 1323)

is exactly where your concern should lay - socket kernel-level control of
unrealistic window scaling, and similar scaling restrictions at the router
layer.

With the host of real issues out there in terms of massively parallel DDoS
infrastructures that abound, this is, as you say, quite a silly report.

[ reply ]
Re: a cheesy Apache / IIS DoS vuln (+a question) Jan 05 2007 07:11AM
Gadi Evron (ge linuxbox org)
Re: a cheesy Apache / IIS DoS vuln (+a question) Jan 04 2007 08:18AM
Michal Zalewski (lcamtuf dione ids pl)


 

Privacy Statement
Copyright 2010, SecurityFocus