'Apache Killer' Tool Exploits DoS Flaw

The denial of service attack tool, dubbed “Apache Killer,” affects Apache 1.3 and all versions of Apache 2 by exploiting a flaw in the way Apache handles simultaneous HTTPD-based range requests, according to the open-source Apache Software Foundation.

Specifically, a request for triggering memory consumption includes what’s known as a “range header,” which requests as many bytes as possible from an httpd file.

However, an exploit can occur when attackers send specially crafted HTTP requests that incorporate malformed range HTTP headers. The flaw would cause each of the bytes requested in the range header to be compressed separately, subsequently consuming vast quantities memory that would effectively cause the system to shut down.

“The behavior when compressing the streams is devastating and can end up in rendering the underlying operating system unusuable when the requests are sent parallely,” according to Apache’s Bugzilla forum. “Symptoms are swapping to disk and killing of processes including but solely httpd processes.”

The range header vulnerability enables attackers to execute DoS attacks remotely and is currently being exploited in the wild, warned developers in an Apache advisory Wednesday.

“The attack can be done remotely and with a modest number of requests leads to very significant memory and CPU usage,” the advisory said.

Thus far there is no patch addressing the flaw, although Apache said that a fix could be expected in the next few days.

Until a patch is released, Apache recommended an array of mitigations that include limiting the size of the request field to a few hundred bytes, and limiting the number of ranges.

“Apache HTTPD users are advised to investigate whether they are vulnerable (e.g. allow range headers and use mod-deflate) and consider implementing any of the above mitigations,” Apache said in its advisory.

The range header DoS vulnerability was first detected in 2007 by security researcher Michal Zalewski, who maintained that the flaw affected both Apache and Microsoft’s IIS Web servers.

“Combined with the functionality of window scaling (as per RFC 1323), it is my impression that a lone, short request can be used to trick the server into firing gigabytes of bogus data into the void, regardless of the server file size, connection count, or keep-alive request number limits implemented by the administrator,” said Zalewski in the blog. “Whoops?”

Zalewski noted in the BugTraq forum that “there are easier tools to (D)DoS a service,” while “nothing about this attack is particularly innovative,” which perhaps prevented the exploit from making it farther up Apache’s list of priorities.