nginx and Apache killer

Maxim Dounin mdounin at
Sun Aug 28 14:25:37 UTC 2011


On Sun, Aug 28, 2011 at 09:42:23AM +0000, Venky Shankar wrote:

> >
> > First of all, nginx doesn't favor HEAD requests with compression,
> > so the exact mentioned attack doesn't work against a standalone
> > nginx installation.
> >
> Well, with apache; the problem is not really due to the compression module
> (you can disable compression and still get DoS'ed)
> It is with how it handles byte ranges (by ignoring overlapping ranges
> etc...)
> Currently with apache requests like
> Range: bytes=0-1,0-2,0-3...................... <nnn-nnn>
> OR
> Range: bytes=0-0, 1-1, 2-2.................<nnn-nnn>
> will not result in merging of the ranges and deliver data for each range.
> With huge number of those ranges there is a lot of memory consumed.

Not really.  The problem in Apache is not "not merging", but O(N^2) 
memory consumption while handling Range requests, where N - number 
of ranges requested.  

See here for more information:

With nginx you are safe: there is no O(N^2) memory consumption.  
Additionally, it won't do any actual data processing with HEAD 
requests as used in attacking script in question.

Maxim Dounin

More information about the nginx mailing list