Apache Killer

Some friends alerted me of the “Apache Killer” bug which can be viewed at the URL below:


This bug exploits Apache's flaw in handling the RANGE field in HTTP request header. By sending a crafted request with a large number of fields within the Range header, the attacker is amplifying the request as each byte range field forces Apache to make separate copies of the requested resource which eventually consumes all CPU and memory resources.

The bad news is that system administrators need to wait for another 48 hours for Apache Foundation to release the patches. In the mean time, they can apply interim measures such as not allowing the use of Range headers.

This bug was first found in 2007. Wonder why Apache Foundation did not pay attention to it.


warrenkwok said...

Just performed some tests on the attack. It did not eat up a lot of memory but rather the CPU was affected most. Within a few seconds, CPU resource dropped from 99 % to less than 75 %.

Anonymous said...

You pretty much said what i could not effectively communicate. +1

My blog:
rachat www.rachatdecredit.net