DoS attack in the wild

luben karavelov luben at unixsol.org
Fri Jun 19 22:45:01 MSD 2009


A DoS attack against number of http servers is available and has hit 
slashdot today: 
http://it.slashdot.org/story/09/06/19/1243203/Attack-On-a-Significant-Flaw-In-Apache-Released

Out of the box nginx is also vulnerable (I have tested it on latest 0.7 
installation). A quick fix for the vulnerability follows:

Put in "http" section:

client_body_timeout 10;
client_header_timeout 10;
keepalive_timeout 10;
send_timeout 10;
limit_zone limit_per_ip $binary_remote_addr 1m;

and put in "server" section :

limit_conn limit_per 16;

The last 2 configuration lines are for limiting connections per client 
IP. This fist lines are same sane connection timeouts.

Best regards and keep the great work!





More information about the nginx mailing list