Possible DoS in nginx 0.5.31 with autoindex on;
areq at areq.eu.org
areq at areq.eu.org
Sat Sep 22 21:15:26 MSD 2007
Hi
server {
listen 10.9.31.6:80;
server_name pld.areq.eu.org;
access_log /var/log/nginx//pld.access.log;
location / {
root /vol/mirror/ftp.pld-linux.org;
autoindex on;
}
}
# ls /vol/mirror/ftp.pld-linux.org
dists
After few hours nginx return 500 error page and log too many open
files.
I discovered than nginx don't close opened directory after HEAD:
echo -e "HEAD / HTTP/1.1\r\nHost: pld.areq.eu.org\r\n\r\n" | nc
10.9.31.6 80
lsof:
nginx 10066 nginx 21r DIR 9,0 18 402653312
/vol/mirror/ftp.pld-linux.org
nginx 10066 nginx 22r DIR 9,0 18 402653312
/vol/mirror/ftp.pld-linux.org
each HEAD on dir increase number of opened files.
strace:
epoll_wait(20,
{{EPOLLIN, {u32=135133300, u64=4430100596}}}, 512, -1) = 1
gettimeofday({1190147846, 304732}, NULL) = 0
accept(16, {sa_family=AF_INET, sin_port=htons(1581),
sin_addr=inet_addr("10.9.8.100")}, [16]) = 18
ioctl(18, FIONBIO, [1]) = 0
epoll_ctl(20, EPOLL_CTL_ADD, 18, {EPOLLIN|EPOLLET, {u32=135133552,
u64=13807009823030376816}}) = 0
epoll_wait(20, {{EPOLLIN, {u32=135133552, u64=13807009823030376816}}},
512, 60000) = 1
gettimeofday({1190147846, 305917}, NULL) = 0
recv(18, "HEAD / HTTP/1.1\r\nHost: pld.areq"..., 1024, 0) = 42
open("/vol/mirror/ftp.pld-linux.org/index.html", O_RDONLY|O_LARGEFILE)
= -1 ENOENT (No such file or directory)
stat64("/vol/mirror/ftp.pld-linux.org", {st_mode=S_IFDIR|0755,
st_size=18, ...}) = 0
open("/vol/mirror/ftp.pld-linux.org",
O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY) = 25
fstat64(25, {st_mode=S_IFDIR|0755, st_size=18, ...}) = 0
fcntl64(25, F_SETFD, FD_CLOEXEC) = 0
writev(18, [{"HTTP/1.1 200 OK\r\nServer: nginx/0"..., 155}], 1) = 155
write(7, "10.9.8.100 - - [18/Sep/2007:22:3"..., 76) = 76
recv(18, "", 982, 0) = 0
write(7, "10.9.8.100 - - [18/Sep/2007:22:3"..., 62) = 62
close(18) = 0
epoll_wait(20,
Cheers,
Arek
More information about the nginx
mailing list