| Vigil@nce team describes computer vulnerabilities impacting your systems, and offers solutions to correct them. |
|
 |
|
|
|
vulnerability note 8809
Apache httpd: denial of service
Synthesis of the vulnerability
| An attacker can exhaust the maximum number of allowed clients on an Apache httpd server, in its default configuration. |
Severity: 1/4.
Creation date: 19/06/2009.
|
Description of the vulnerability
When a client connects to the httpd service, he has to send an HTTP request like:
GET / HTTP/1.0
Host: server
Header: etc.
As long as Apache httpd did not receive the full request, it waits at most TimeOut seconds before closing the session.
When MaxClients clients are simultaneously connected on the service, next clients cannot access to the service.
An attacker can therefore open several parallel sessions, in which he sends the request using small fragments, in order to extend the session and to reach MaxClients. Legitimate users then cannot access to the service.
An attacker can therefore exhaust the maximum number of allowed clients on an Apache httpd server, in its default configuration.
The IIS web server uses a different logic and is not impacted by this denial of service. For example, when a new session arrives, the older inactive or incomplete session is closed. |
Complete Vigil@nce bulletin
Characteristics
Title: Apache httpd: denial of service.
Keywords: Apache GET HTTP Header Host IIS MaxClients TimeOut denial httpd service.
Identifiers: 47386, VIGILANCE-VUL-8809.
|
Information sources
Solutions for this vulnerability
Supplements
Computer vulnerabilities tracking service
The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system.
The Vigil@nce vulnerability database contains several thousand vulnerabilities.
This bulletin is published by the Vigil@nce team, which tracks computer vulnerabilities impacting systems and applications.
Computer vulnerability database
|
