Bug 47386 - Remote Apache TCP stack DOS
Remote Apache TCP stack DOS
Status: RESOLVED FIXED
Product: Apache httpd-2
Classification: Unclassified
Component: All
2.2.11
All All
: P2 critical (vote)
: ---
Assigned To: Apache HTTPD Bugs Mailing List
:
Depends on:
Blocks:
  Show dependency tree
 
Reported: 2009-06-17 19:54 UTC by bug-report
Modified: 2011-06-15 22:51 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description bug-report 2009-06-17 19:54:49 UTC
Hey guys,

First of all thanks for bringing such a good software as Apache.
We're now facing a big problem, that we expect you to patch ASAP :
it's a public full disclosure, and it affect any Apache infrastructure environnement, please read this up :
http://milw0rm.com/exploits/8976


Everyone is affected, and vulnerable to a such attack.

Plz feed up regarding this bug.

Thanks a bunch.
Comment 1 Ruediger Pluem 2009-06-17 23:00:14 UTC
First: If you really want to report a security issue NEVER do it here in the public, but sent a mail to security@httpd.apache.org to handle this matter in a confidential way.
Second: We are aware of this and it is an old hat and expected. Please have a look here: https://issues.apache.org/bugzilla/show_bug.cgi?id=47386
Comment 2 William A. Rowe Jr. 2009-06-18 07:10:48 UTC
Don't follow Rudiger's link, it's cyclic.

Every network application is affected by such attacks, this is a protocol
level issue.  It occurs at the network layer, not the application layer,
as demonstrated by the fact that AcceptFilter in httpd has no impact on
the attack.

The solution, like the problem, lies in the network layer.  See iptables
and similar network stack filters to provide protection against this vector.
Comment 3 Ruediger Pluem 2009-06-18 07:59:23 UTC
(In reply to comment #1)
> First: If you really want to report a security issue NEVER do it here in the
> public, but sent a mail to security@httpd.apache.org to handle this matter in a
> confidential way.
> Second: We are aware of this and it is an old hat and expected. Please have a
> look here: https://issues.apache.org/bugzilla/show_bug.cgi?id=47386

Ahrggg. My bad. Copy and paste error. Thanks for pointing it out Bill.
This is the correct link: http://httpd.apache.org/docs/trunk/misc/security_tips.html#dos
Comment 4 Stefan Priebe 2010-06-23 03:28:49 UTC
sorry for repoening this but could you please tell me how to security_tips.html#dos could help in the case you open a connection and send every few seconds a new header?
Comment 5 Stefan Fritsch 2011-06-15 22:51:59 UTC
This can be mitigated with mod_reqtimeout (usable since 2.2.17)