nginx and Apache killer
mdounin at mdounin.ru
Sun Aug 28 14:25:37 UTC 2011
On Sun, Aug 28, 2011 at 09:42:23AM +0000, Venky Shankar wrote:
> > First of all, nginx doesn't favor HEAD requests with compression,
> > so the exact mentioned attack doesn't work against a standalone
> > nginx installation.
> Well, with apache; the problem is not really due to the compression module
> (you can disable compression and still get DoS'ed)
> It is with how it handles byte ranges (by ignoring overlapping ranges
> Currently with apache requests like
> Range: bytes=0-1,0-2,0-3...................... <nnn-nnn>
> Range: bytes=0-0, 1-1, 2-2.................<nnn-nnn>
> will not result in merging of the ranges and deliver data for each range.
> With huge number of those ranges there is a lot of memory consumed.
Not really. The problem in Apache is not "not merging", but O(N^2)
memory consumption while handling Range requests, where N - number
of ranges requested.
See here for more information:
With nginx you are safe: there is no O(N^2) memory consumption.
Additionally, it won't do any actual data processing with HEAD
requests as used in attacking script in question.
More information about the nginx