DoS attack in the wild

w3wsrmn nginx-forum at nginx.us
Sat Jun 20 04:09:28 MSD 2009


luben karavelov Wrote:
-------------------------------------------------------
> A DoS attack against number of http servers is
> available and has hit 
> slashdot today: 
> http://it.slashdot.org/story/09/06/19/1243203/Atta
> ck-On-a-Significant-Flaw-In-Apache-Released
> 
> Out of the box nginx is also vulnerable (I have
> tested it on latest 0.7 
> installation). A quick fix for the vulnerability
> follows:
> 
> Put in "http" section:
> 
> client_body_timeout 10;
> client_header_timeout 10;
> keepalive_timeout 10;
> send_timeout 10;
> limit_zone limit_per_ip $binary_remote_addr 1m;
> 
> and put in "server" section :
> 
> limit_conn limit_per 16;
> 
> The last 2 configuration lines are for limiting
> connections per client 
> IP. This fist lines are same sane connection
> timeouts.
> 
> Best regards and keep the great work!


A look at the script reveals it keeps connections open with invalid headers (note the appended "\r\n"):

"GET /$rand HTTP/1.1\r\n"
          . "Host: $sendhost\r\n"
          . "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)\r\n"
          . "Content-Length: 42\r\n";

As by default the (undocumented?) ignore_invalid_headers directive is enabled in nginx, isn't this attack a non-issue, unless one disables the directive?

Sending such headers to an nginx server with the directive enabled results in a "400 Bad Request".

Posted at Nginx Forum: http://forum.nginx.org/read.php?2,3151,3163#msg-3163






More information about the nginx mailing list