Apache DOS attack tool circulating

Posted by: mstauber Category: General

An Apache DOS attack tool is circulating in the wild, which can easily overload attacked hosts if they're vulnerable.

A denial-of-service (DOS) tool is circulating in the wild, which exploits a bug in the popular Apache webserver.

The tool, called "Apache Killer," showed up last Friday in a post to the "Full Disclosure" security mailing list.
Today, the Apache project acknowledged the vulnerability that the attack tool exploits, and said it would release a fix for Apache 2.0 and 2.2 in the next 48 hours.

The Apache.org security advisory (available here) states: "An attack tool is circulating in the wild. Active use of this tools has been observed.The attack can be done remotely and with a modest number of requests can cause very significant memory and CPU usage on the server."

Of course we tested if BlueOnyx is vulnerable to this DOS attack and came to the following observation:

BlueOnyx 5106R (CentOS5 - fully YUM updated): NOT Vulnerable

BlueOnyx 5107R (Scientific Linux 6.1 - fully YUM updated): NOT Vulnerable

Out of interest we also tested a box running BlueQuartz:

BlueQuartz 5102R (CentOS4 - fully YUM updated): Vulnerable

Hotfix for BlueQuartz:

Possible temporary fixes for affected BlueQuartz (please note: not BlueOnyx!) servers can be found in the Apache security advisory (available here) until the time that CentOS releases an updated Apache for CentOS4.

To do so, edit each and any /etc/httpd/conf/vhosts/site*.include files on your BlueQuartz and drop the following three lines into each of them:

{killer}

Also add these three lines to /etc/httpd/conf/vhosts/preview somewhere above the trailing </VirtualHost> line.

Then restart Apache:

/etc/init.d/httpd restart

This hotfix isn't perfect, as it possibly may still be hit by some variants of this attack.

Update:

We just created a small "quick and dirty" script that you can run on a BlueQuartz (and BlueQuartz only!). It is available here.

Usage (at your own risk!):

wget http://data.smd.net/scripts/apache_killer_hotfix.sh.txt
mv apache_killer_hotfix.sh.txt apache_killer_hotfix.sh
chmod 700 apache_killer_hotfix.sh
./apache_killer_hotfix.sh

It creates a backup copy of /etc/httpd/conf/vhosts with the name of /etc/httpd/conf/vhosts.backup

Then it appends the three lines as needed to site*.include files and also to the preview file (if it exists).

At the end of the modifications Apache is restarted.


Return
General
Aug 25, 2011 Category: General Posted by: mstauber
Next page: Features