Vigil@nce: Apache httpd, denial of service
June 2009 by Vigil@nce
An attacker can exhaust the maximum number of allowed clients on an Apache httpd server, in its default configuration.
Severity: 1/4
Consequences: denial of service of service
Provenance: internet client
Means of attack: 1 attack
Ability of attacker: technician (2/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 19/06/2009
IMPACTED PRODUCTS
– Apache httpd
DESCRIPTION OF THE VULNERABILITY
When a client connects to the httpd service, he has to send an
HTTP request like:
GET / HTTP/1.0
Host: server
Header: etc.
As long as Apache httpd did not receive the full request, it waits
at most TimeOut seconds before closing the session.
When MaxClients clients are simultaneously connected on the
service, next clients cannot access to the service.
An attacker can therefore open several parallel sessions, in which
he sends the request using small fragments, in order to extend the
session and to reach MaxClients. Legitimate users then cannot
access to the service.
An attacker can therefore exhaust the maximum number of allowed
clients on an Apache httpd server, in its default configuration.
The IIS web server uses a different logic and is not impacted by
this denial of service. For example, when a new session arrives,
the older inactive or incomplete session is closed.
CHARACTERISTICS
Identifiers: 47386, VIGILANCE-VUL-8809
http://vigilance.fr/vulnerability/Apache-httpd-denial-of-service-8809