If you are a frequent reader of this blog, more or less you are already familiar with denial-of-service (DoS) attack. This attack typically targets a specific systems or servers and “floods” it with information in order to prevent legitimate users to access the information or service.
This time around, we have observed a DoS attack exploiting a specific vulnerability. This is different from the usual known methods for DoS. Denial-of-Service attacks are typically done by flooding the target site with traffic (SYN flood, UDP flood, ICMP flood). However, what makes this attack noteworthy is that it does not require a great amount of traffic. All the attacker has to do is send the especially-crafted HTTP request and the site will be rendered inaccessible.
We recently did a deeper analysis on the said vulnerability (CVE-2011-3192) found on certain versions of Apache HTTP Server that allows a remote attacker to conduct a denial-of-service attack by sending a small HTTP request.
The vulnerability exists in the byterange filter in Apache HTTP Server 1.3.x, 2.0.x through 2.0.64 and 2.2.x through 2.2.19. It can be exploited by a range header that expresses multiple overlapping ranges. The proof-of-concept for the exploit abusing this vulnerability was published in August. A tool that conducts DoS attacks by exploiting this vulnerability was later created, and dubbed as “Apache Killer”. Apache already patched this security hole last week.
A typical attack scenario exploiting this vulnerability involves the attacker sending an HTTP request with multiple range:bytes header to the Apache server.
Once the server receives the said request, it will create each bucket as a number of crafted range:bytes HTTP header items and insert bucket to bucket brigade. This will cause heightened memory consumption, and eventually, denial-of-service.
Web administrators using Apache HTTP Server are advised to apply the patch as soon as possible. And while patch management for vulnerability remediation can be a painful exercise for IT departments, Trend Micro Deep Security shields systems from threats that may leverage vulnerabilities in systems until a patch is available and deployed. Trend Micro provides protection against threats leveraging on this vulnerability through Deep Security, specifically rule VSU11-026 (1004782 – Apache httpd Range Header Remote Denial Of Service).
Leave a reply