Orange Business Services
Vigil@nce Vigil@nce Vigil@nce
we track for your security since 1999
 home presentation vulnerabilities documentation contact  
subscriber area subscriber area
free access free access
The Vigil@nce team watches vulnerabilities impacting your computers, and then offers solutions, a database and tools to correct them.
recent vulnerabilities recent vulnerabilities
tracked products tracked products
RSS feed RSS feed
vulnerability

vulnerability note 8809

Apache httpd: denial of service

Synthesis of the vulnerability

An attacker can exhaust the maximum number of allowed clients on an Apache httpd server, in its default configuration.
Severity: 1/4.
Creation date: 19/06/2009.

Impacted products

Description of the vulnerability

When a client connects to the httpd service, he has to send an HTTP request like:
  GET / HTTP/1.0
  Host: server
  Header: etc.
As long as Apache httpd did not receive the full request, it waits at most TimeOut seconds before closing the session.

When MaxClients clients are simultaneously connected on the service, next clients cannot access to the service.

An attacker can therefore open several parallel sessions, in which he sends the request using small fragments, in order to extend the session and to reach MaxClients. Legitimate users then cannot access to the service.

An attacker can therefore exhaust the maximum number of allowed clients on an Apache httpd server, in its default configuration.

The IIS web server uses a different logic and is not impacted by this denial of service. For example, when a new session arrives, the older inactive or incomplete session is closed.

Share this bulletin

Delicious Digg Facebook Google bookmarks LinkedIn Mail Reddit StumbleUpon Technorati Twitter Yahoo 

Complete Vigil@nce bulletin

Apache httpd: denial of service

Characteristics

Title: Apache httpd: denial of service.
Keywords: Apache GET HTTP Header Host IIS MaxClients TimeOut denial httpd service.
Identifiers: 47386, VIGILANCE-VUL-8809.

Information sources

Publications and announces
Source example: Slowloris HTTP DoS

Solutions for this vulnerability

Patch or workaround

Supplements

Attack

Exploit 0day or proof of concept

Attack

Exploit 0day or proof of concept

Computer vulnerabilities tracking service

Vigil@nce provides a software vulnerability note. The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system. The Vigil@nce vulnerability database contains several thousand vulnerabilities.



















Copyright 1999-2012 Vigil@nce. Vigil@nce is a service from Orange Business Services. Site map. Legal notice. Version française