Debian Bug report logs -
#533661
"slowloris" denial-of-service vulnerability
Reported by: Michael S Gilbert <michael.s.gilbert@gmail.com>
Date: Fri, 19 Jun 2009 17:12:02 UTC
Severity: important
Tags: security
Found in versions apache2/2.2.3-4+etch6, apache2/2.2.3-4
Fixed in version apache2/2.2.15-1
Done: Stefan Fritsch <sf@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>:
Bug#533661; Package apache2.
(Fri, 19 Jun 2009 17:12:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael S Gilbert <michael.s.gilbert@gmail.com>:
New Bug report received and forwarded. Copy sent to Debian Apache Maintainers <debian-apache@lists.debian.org>.
(Fri, 19 Jun 2009 17:12:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
package: apache2
version: 2.2.3-4+etch6
severity: important
tags: security
hello,
this package is supposedly vulnerable to something called a
"slowloris" denial-of-service attack. please check to see whether
this is a correct assessment. see [1],[2] for more info. thanks.
[1] http://ha.ckers.org/slowloris/
[2] http://www.securityfocus.com/archive/1/456339/30/0/threaded
Bug 533661 cloned as bug 533662.
Request was from Michael S Gilbert <michael.s.gilbert@gmail.com>
to control@bugs.debian.org.
(Fri, 19 Jun 2009 17:21:02 GMT) (full text, mbox, link).
Bug 533661 cloned as bug 533663.
Request was from Michael S Gilbert <michael.s.gilbert@gmail.com>
to control@bugs.debian.org.
(Fri, 19 Jun 2009 17:21:04 GMT) (full text, mbox, link).
Bug 533661 cloned as bug 533664.
Request was from Michael S Gilbert <michael.s.gilbert@gmail.com>
to control@bugs.debian.org.
(Fri, 19 Jun 2009 17:21:05 GMT) (full text, mbox, link).
Bug 533661 cloned as bug 533665.
Request was from Michael S Gilbert <michael.s.gilbert@gmail.com>
to control@bugs.debian.org.
(Fri, 19 Jun 2009 17:21:07 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>:
Bug#533661; Package apache2.
(Sat, 20 Jun 2009 15:21:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Andreas Krennmair <ak@synflood.at>:
Extra info received and forwarded to list. Copy sent to Debian Apache Maintainers <debian-apache@lists.debian.org>.
(Sat, 20 Jun 2009 15:21:02 GMT) (full text, mbox, link).
Message #18 received at 533661@bugs.debian.org (full text, mbox, reply):
Hello everyone,
Recently, the Slowloris HTTP DoS attack[0] was published, an HTTP-based
Denial-of-Service attack against webservers that consumes resources by opening
a big number of parallel connections and slowly sending incomplete requests
over them. This is a very effective way of DoSing a webserver without
generating a lot of network traffic or putting a high load on the web server
itself, thus making it harder to detect compared to "traditional" DoS attacks
against webservers. Apache 1.x and 2.2.x were shown to be vulnerable against
this kind of attack.
The key concept of the Slowloris attack is slowly sending small parts of an
HTTP request, while the HTTP request is never actually completed. In contrast,
the great majority of legitimate HTTP clients try to send the complete HTTP
request as quickly as possible. Given these assumptions, I developed a simple
but effective proof of concept patch that mitigates this issue in Apache
2.2.11 (the latest stable 2.2 release) as far as possible.
This patch is available under the following URL:
http://synflood.at/tmp/anti-slowloris.diff
The method my PoC patch follows is that it adapts the request timeouts
depending on the current load on the webserver: it regularly computes a load
percentage which describes the ratio of processes that currently process HTTP
requests to the total number of available processes (the PoC patch is prefork
MPM only, but should be easily adaptable to the worker MPM, too). When the
load percentage reaches certain thresholds, the total request timeout is
continuously lowered. At a load of 96 % or higher, the request timeout is set
to a maximum of 1 second (at higher loads even lower), which makes slow
senders quickly run into timeouts. This behaviour frees resources for quick
senders (which are assumed to be legitimate clients in this scenario). In
order to work around this behaviour for an attacker, the delay between sending
packets must be reduced, which defeats one of the main goals of the Slowloris
attack, namely keeping the overall "footprint" of network traffic low.
Even in the worst case (the attacker keeps its delay times very low, I tested
it with slowloris.pl and a delay of 1 second, which already generates a lot of
traffic), legitimate requests are still being responded to correctly, even
though request completion takes noticeably longer than usual. So, the patch is
neither the final nor a perfect solution, but it is practical and demonstrates
that protection against the Slowloris attack can be achieved.
Regards,
Andreas Krennmair
References:
[0]: http://ha.ckers.org/slowloris/
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>:
Bug#533661; Package apache2.
(Mon, 21 Sep 2009 18:33:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Stefan Fritsch <sf@sfritsch.de>:
Extra info received and forwarded to list. Copy sent to Debian Apache Maintainers <debian-apache@lists.debian.org>.
(Mon, 21 Sep 2009 18:33:05 GMT) (full text, mbox, link).
Message #23 received at 533661@bugs.debian.org (full text, mbox, reply):
At the moment, the best defense is using iptables connlimit with a
reasonable maximum number of connections per IP (like 1/5 or 1/10 of
what your server can handle). This will give you good protection from
single attacking hosts. When the attacker has many hosts (i.e. a
botnet) you have lost anyway.
If you can't use iptables (e.g. if you only have some vserver), there
is libapache2-mod-antiloris in Debian unstable and testing. The
package should work in stable and oldstable, too. Mod_antiloris may be
better than nothing, but the slowloris script can be easily modified
to circumvent mod_antiloris.
Bug Marked as found in versions apache2/2.2.3-4.
Request was from Stefan Fritsch <sf@debian.org>
to control@bugs.debian.org.
(Wed, 11 Nov 2009 22:57:06 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from Stefan Fritsch <sf@debian.org>
to control@bugs.debian.org.
(Sun, 07 Mar 2010 22:06:13 GMT) (full text, mbox, link).
Reply sent
to Stefan Fritsch <sf@debian.org>:
You have taken responsibility.
(Sun, 07 Mar 2010 22:51:13 GMT) (full text, mbox, link).
Notification sent
to Michael S Gilbert <michael.s.gilbert@gmail.com>:
Bug acknowledged by developer.
(Sun, 07 Mar 2010 22:51:13 GMT) (full text, mbox, link).
Message #32 received at 533661-close@bugs.debian.org (full text, mbox, reply):
Source: apache2
Source-Version: 2.2.15-1
We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive:
apache2-dbg_2.2.15-1_i386.deb
to main/a/apache2/apache2-dbg_2.2.15-1_i386.deb
apache2-doc_2.2.15-1_all.deb
to main/a/apache2/apache2-doc_2.2.15-1_all.deb
apache2-mpm-event_2.2.15-1_i386.deb
to main/a/apache2/apache2-mpm-event_2.2.15-1_i386.deb
apache2-mpm-itk_2.2.15-1_i386.deb
to main/a/apache2/apache2-mpm-itk_2.2.15-1_i386.deb
apache2-mpm-prefork_2.2.15-1_i386.deb
to main/a/apache2/apache2-mpm-prefork_2.2.15-1_i386.deb
apache2-mpm-worker_2.2.15-1_i386.deb
to main/a/apache2/apache2-mpm-worker_2.2.15-1_i386.deb
apache2-prefork-dev_2.2.15-1_i386.deb
to main/a/apache2/apache2-prefork-dev_2.2.15-1_i386.deb
apache2-suexec-custom_2.2.15-1_i386.deb
to main/a/apache2/apache2-suexec-custom_2.2.15-1_i386.deb
apache2-suexec_2.2.15-1_i386.deb
to main/a/apache2/apache2-suexec_2.2.15-1_i386.deb
apache2-threaded-dev_2.2.15-1_i386.deb
to main/a/apache2/apache2-threaded-dev_2.2.15-1_i386.deb
apache2-utils_2.2.15-1_i386.deb
to main/a/apache2/apache2-utils_2.2.15-1_i386.deb
apache2.2-bin_2.2.15-1_i386.deb
to main/a/apache2/apache2.2-bin_2.2.15-1_i386.deb
apache2.2-common_2.2.15-1_i386.deb
to main/a/apache2/apache2.2-common_2.2.15-1_i386.deb
apache2_2.2.15-1.diff.gz
to main/a/apache2/apache2_2.2.15-1.diff.gz
apache2_2.2.15-1.dsc
to main/a/apache2/apache2_2.2.15-1.dsc
apache2_2.2.15-1_i386.deb
to main/a/apache2/apache2_2.2.15-1_i386.deb
apache2_2.2.15.orig.tar.gz
to main/a/apache2/apache2_2.2.15.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 533661@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Stefan Fritsch <sf@debian.org> (supplier of updated apache2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 07 Mar 2010 23:22:56 +0100
Source: apache2
Binary: apache2.2-common apache2.2-bin apache2-mpm-worker apache2-mpm-prefork apache2-mpm-event apache2-mpm-itk apache2-utils apache2-suexec apache2-suexec-custom apache2 apache2-doc apache2-prefork-dev apache2-threaded-dev apache2-dbg
Architecture: source all i386
Version: 2.2.15-1
Distribution: unstable
Urgency: low
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Stefan Fritsch <sf@debian.org>
Description:
apache2 - Apache HTTP Server metapackage
apache2-dbg - Apache debugging symbols
apache2-doc - Apache HTTP Server documentation
apache2-mpm-event - Apache HTTP Server - event driven model
apache2-mpm-itk - multiuser MPM for Apache 2.2
apache2-mpm-prefork - Apache HTTP Server - traditional non-threaded model
apache2-mpm-worker - Apache HTTP Server - high speed threaded model
apache2-prefork-dev - Apache development headers - non-threaded MPM
apache2-suexec - Standard suexec program for Apache 2 mod_suexec
apache2-suexec-custom - Configurable suexec program for Apache 2 mod_suexec
apache2-threaded-dev - Apache development headers - threaded MPM
apache2-utils - utility programs for webservers
apache2.2-bin - Apache HTTP Server common binary files
apache2.2-common - Apache HTTP Server common files
Closes: 533661 571461 572232
Changes:
apache2 (2.2.15-1) unstable; urgency=low
.
* New upstream version:
- CVE-2010-0408: mod_proxy_ajp: Fixes denial of service vulnerability
- CVE-2009-3555: mod_ssl: Improve the mitigation against SSL/TLS protocol
prefix injection attack.
- CVE-2010-0434: mod_headers: Fix potential information leak with threaded
MPMs.
- mod_reqtimeout: New module limiting the time waiting for receiving
a request from the client. This is a (partial) mitigation against
slowloris-type resource exhaustion attacks. The module is enabled by
default. Closes: #533661
- mod_ssl: Add SSLInsecureRenegotiation directive to allows insecure
renegotiation with clients which do not yet support the secure
renegotiation protocol. As this requires openssl 0.9.8m, bump
build dependency accordingly.
* Fix bash completion for a2ensite if the site name contains 'conf' or
'load'. Closes: #572232
* Do a configcheck in the init script before doing a non-graceful restart.
Closes: #571461
Checksums-Sha1:
ddf6169247b98092afd5b80db0d6e9b54cc69527 1796 apache2_2.2.15-1.dsc
1a751aab443ce76ede233b6d3351223e9c9516f2 6593633 apache2_2.2.15.orig.tar.gz
9284f39682f34bd639ea5c6f32691b5dc6777038 196290 apache2_2.2.15-1.diff.gz
3c43bae560c14a4888770d9efae396b2b51ebae9 2299506 apache2-doc_2.2.15-1_all.deb
219d269780ba0bc81519dcfceddbde6b543bf53e 302896 apache2.2-common_2.2.15-1_i386.deb
759042d8fc3d14e8a4117f8b0cbc00411bd419eb 1320202 apache2.2-bin_2.2.15-1_i386.deb
5fd60bf990e047459c26acecc5d7d9f10f6197c4 2272 apache2-mpm-worker_2.2.15-1_i386.deb
fa882ec21c82cf5e85581346bb00db1e71221f95 2328 apache2-mpm-prefork_2.2.15-1_i386.deb
ce5a934471544cf5294eeed445f3d08ebd2d33dc 2300 apache2-mpm-event_2.2.15-1_i386.deb
c54115d1bda8c75349ae9bca2106115b1e368ea1 2334 apache2-mpm-itk_2.2.15-1_i386.deb
300028487c5d69065c7061a8d5f17c7acf553253 158556 apache2-utils_2.2.15-1_i386.deb
f563cfa2ef32f89c18382c958712451f8f0163b7 95960 apache2-suexec_2.2.15-1_i386.deb
47b8f3a5560b1716820a07d4adb8da14c43bcc03 97546 apache2-suexec-custom_2.2.15-1_i386.deb
58909d736b689328e019a9c7b3dfe06a8768e088 1382 apache2_2.2.15-1_i386.deb
7698bb9de7cf3232d19a755268765d68123f8a01 137166 apache2-prefork-dev_2.2.15-1_i386.deb
cf7e6bd7de9ea289f7993f4b8646378e604e0777 138316 apache2-threaded-dev_2.2.15-1_i386.deb
7419946f64fdf951069b9e661ad87dfb8acd9c9d 2683280 apache2-dbg_2.2.15-1_i386.deb
Checksums-Sha256:
7dc9f68d31c6408e1d9ca3436beb610511e19cfacda21b451a4a3ba659f5840a 1796 apache2_2.2.15-1.dsc
4f879251e938e81fafedabc946831a501b71ddc33cb8a9ad4a994fce233f281b 6593633 apache2_2.2.15.orig.tar.gz
081de168512ab6a0634050e378c880029e828164b1a26f90db346ef26c265493 196290 apache2_2.2.15-1.diff.gz
7dc561357429fa7a7bae19b1efd49ea02112abcb4fc439ee468e0c9892c65d4a 2299506 apache2-doc_2.2.15-1_all.deb
00e0e75f1fec9ec3d4eaae2bd6190903ebc3d600cef40ad145fac4e2263b38dd 302896 apache2.2-common_2.2.15-1_i386.deb
fa398e43af7c0ad23e93c8c6f35075c40332b70036754c229ff984fa89589087 1320202 apache2.2-bin_2.2.15-1_i386.deb
78721f1301aab92f23217a240b1201fa8c2342bccd1f3ffcb5eeaaad03f35a98 2272 apache2-mpm-worker_2.2.15-1_i386.deb
5561632891546e9e30f1ae142588dfb505bddf5a6efb0a3e0d201a3b205c40fa 2328 apache2-mpm-prefork_2.2.15-1_i386.deb
3b48a469b196532760fefe40952cb1679109d2d0a69ed1f7803b4e6838fb3ea4 2300 apache2-mpm-event_2.2.15-1_i386.deb
889f6910f459168ea62aac9408387ccbbffc31f78cee282157eacd61d70e7111 2334 apache2-mpm-itk_2.2.15-1_i386.deb
053c5119dad0f43c4cc8642c7bfd9c1d0e233fc824f1f9392cb17ed3d626e06d 158556 apache2-utils_2.2.15-1_i386.deb
1d761a6862f0b57544cf584aea8c603284970c13ddfba902abd6843688e901f1 95960 apache2-suexec_2.2.15-1_i386.deb
a2940c17b9b530f69bdfc3ea567ffcf178b7ea8cd0e2beead0c11fa14adeab15 97546 apache2-suexec-custom_2.2.15-1_i386.deb
ec81076f8b5ee42b1fc8b3eaee49fd17638d008aebf3392aa496f5c738967d1f 1382 apache2_2.2.15-1_i386.deb
20d1412aeb23b18d5e1eb827b4e37fc2327929db2a2179b0ff884f7bc60324a2 137166 apache2-prefork-dev_2.2.15-1_i386.deb
7867983a7ecbb752398ff629aa1abdf308d59632a0fc6beb7193651792b6db03 138316 apache2-threaded-dev_2.2.15-1_i386.deb
f0c6a326fe331cd0bcd0c75243538a508ecf152632c94160f64fdace0876fd6b 2683280 apache2-dbg_2.2.15-1_i386.deb
Files:
59304a8d6f5e76e5cbdf60be5ab5cdb2 1796 httpd optional apache2_2.2.15-1.dsc
31fa022dc3c0908c6eaafe73c81c65df 6593633 httpd optional apache2_2.2.15.orig.tar.gz
948f7496304408088c14c2f0d2e5e474 196290 httpd optional apache2_2.2.15-1.diff.gz
cf591ac5cfa0553e7eb04ed91ca31704 2299506 doc optional apache2-doc_2.2.15-1_all.deb
b150352d5615301be9b93131538c90ae 302896 httpd optional apache2.2-common_2.2.15-1_i386.deb
af1b901a5ca4b5263abf441a3ea99ec5 1320202 httpd optional apache2.2-bin_2.2.15-1_i386.deb
04c3592c3eacf928e06e66b599827d45 2272 httpd optional apache2-mpm-worker_2.2.15-1_i386.deb
8d56e5efc9894ae5b78b12b41643bb95 2328 httpd optional apache2-mpm-prefork_2.2.15-1_i386.deb
1d72d6c56491f4f0af33ca327d9deb28 2300 httpd optional apache2-mpm-event_2.2.15-1_i386.deb
0f6eb269907db8e6fa99216097ca7593 2334 httpd extra apache2-mpm-itk_2.2.15-1_i386.deb
96aafa5312873daf6fc43dcced45542c 158556 httpd optional apache2-utils_2.2.15-1_i386.deb
4a15c0eb4b8825417cc0d538f186b475 95960 httpd optional apache2-suexec_2.2.15-1_i386.deb
740d8a58ed38c79aade44404e0c4d01d 97546 httpd extra apache2-suexec-custom_2.2.15-1_i386.deb
9918e30a794b2a3f0ad37e830f24c6c8 1382 httpd optional apache2_2.2.15-1_i386.deb
4b8d068b9e4f1e5bcb8092e8caad49eb 137166 httpd extra apache2-prefork-dev_2.2.15-1_i386.deb
41a9968ceef4a3d1d839b8d7d674a024 138316 httpd extra apache2-threaded-dev_2.2.15-1_i386.deb
35aa3db7a8e60d980cdd9389089d0e07 2683280 debug extra apache2-dbg_2.2.15-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iD8DBQFLlCnhbxelr8HyTqQRAij7AKC7HtgT1AUZ3w1NaRf0iCrMisc2oACgpMVu
D9nPmF/skLVUP+x5d5Mp9vw=
=xAAZ
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 07 Apr 2010 07:37:08 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:24:44 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon