BugTraq
a cheesy Apache / IIS DoS vuln (+a question) Jan 03 2007 11:27PM
Michal Zalewski (lcamtuf dione ids pl) (4 replies)
Re: a cheesy Apache / IIS DoS vuln (+a question) Jan 05 2007 08:45AM
bugtraq (bugtraq securityfocus lists bitrouters com) (1 replies)
Re: a cheesy Apache / IIS DoS vuln (+a question) Jan 09 2007 06:15AM
William A. Rowe, Jr. (wrowe rowe-clan net) (1 replies)
Re: a cheesy Apache / IIS DoS vuln (+a question) Jan 10 2007 10:04AM
bugtraq (bugtraq securityfocus lists bitrouters com)
Re: a cheesy Apache / IIS DoS vuln (+a question) Jan 04 2007 12:36PM
Siim Põder (windo p6drad-teel net)
Re: a cheesy Apache / IIS DoS vuln (+a question) Jan 04 2007 11:45AM
Pieter de Boer (pieter thedarkside nl) (1 replies)
Re: a cheesy Apache / IIS DoS vuln (+a question) Jan 04 2007 06:47PM
Rob Sherwood (capveg cs umd edu)
Re: a cheesy Apache / IIS DoS vuln (+a question) Jan 04 2007 05:35AM
William A. Rowe, Jr. (wrowe rowe-clan net) (2 replies)
Re: a cheesy Apache / IIS DoS vuln (+a question) Jan 05 2007 07:11AM
Gadi Evron (ge linuxbox org)
On Wed, 3 Jan 2007, William A. Rowe, Jr. wrote:
> Michal Zalewski wrote:
> > I feel silly for reporting this, but I couldn't help but notice that
> > Apache and IIS both have a bizarro implementation of HTTP/1.1 "Range"
> > header functionality (as defined by RFC 2616). Their implementations allow
> > the same fragment of a file to be requested an arbitrary number of times,
> > and each redundant part to be received separately in a separate
> > multipart/byteranges envelope.
>
> Batten down the hatches!
>
> > (An example would be an "old-fashioned" attack on a server that happens
> > to host multi-gigabyte ISO files or movies - simply request them
> > many times and let window scaling do the rest... of course, most
> > high-profile sites are smart enough to host static HTML and basic layout
> > elements separately from such bandwidth-intensive and non-essential
> > content, so it still makes sense to take note of "Range" behavior).
>
> Seriously, HTTP pipelining can accomplish EXACTLY the same thing with minimal
> pain. If you have an issue with this behavior, of HTTP, then you have an
> issue with the behavior under FTP or a host of other protocols. And as you
> say, simple enough to find some 1.5mb pdf's. But you expect 1gb window sizes
> to actually succeed?
>
> In 95% of the cases that follow your comment above, although the load may
> be often be distributed between boxes based on computational intensity, it
> is nearly always shoved down the same pipe in the end.
>
> > Combined with the functionality of window scaling (as per RFC 1323)
>
> is exactly where your concern should lay - socket kernel-level control of
> unrealistic window scaling, and similar scaling restrictions at the router
> layer.
>
> With the host of real issues out there in terms of massively parallel DDoS
> infrastructures that abound, this is, as you say, quite a silly report.

Wrong. Any vulnerability, no matter how many others are out there or how
unlikely, is indeed a vulnerability.

As one of the people leading the battle againt what you refer to as
"massively parallel DDoS infrastructures", I can tell you I am almost
inclined to giggle here.

Is all you are saying: "YES but mine is better?"

Gadi.

[ reply ]
Re: a cheesy Apache / IIS DoS vuln (+a question) Jan 04 2007 08:18AM
Michal Zalewski (lcamtuf dione ids pl)


 

Privacy Statement
Copyright 2010, SecurityFocus