nginx and Apache killer

Maxim Dounin mdounin at mdounin.ru
Sun Aug 28 14:25:37 UTC 2011


Hello!

On Sun, Aug 28, 2011 at 09:42:23AM +0000, Venky Shankar wrote:

> >
> > First of all, nginx doesn't favor HEAD requests with compression,
> > so the exact mentioned attack doesn't work against a standalone
> > nginx installation.
> >
> 
> Well, with apache; the problem is not really due to the compression module
> (you can disable compression and still get DoS'ed)
> 
> It is with how it handles byte ranges (by ignoring overlapping ranges
> etc...)
> 
> Currently with apache requests like
> 
> Range: bytes=0-1,0-2,0-3...................... <nnn-nnn>
> 
> OR
> 
> Range: bytes=0-0, 1-1, 2-2.................<nnn-nnn>
> 
> will not result in merging of the ranges and deliver data for each range.
> With huge number of those ranges there is a lot of memory consumed.

Not really.  The problem in Apache is not "not merging", but O(N^2) 
memory consumption while handling Range requests, where N - number 
of ranges requested.  

See here for more information:

http://permalink.gmane.org/gmane.comp.apache.devel/45196
http://permalink.gmane.org/gmane.comp.apache.devel/45290

With nginx you are safe: there is no O(N^2) memory consumption.  
Additionally, it won't do any actual data processing with HEAD 
requests as used in attacking script in question.

Maxim Dounin



More information about the nginx mailing list