Apache Security - Ivan Ristic [64]
Viruses and worms are often used for DoS attacks. The target address is sometimes hardcoded into the virus, so it is not necessary for a virus to communicate back to the master host to perform its attacks. These types of attacks are practically impossible to trace.
Reflection DoS Attacks
Address spoofing is easy to use and most DoS attacks use it. Because target systems believe the source address received in a TCP packet, address spoofing allows attackers to attack a target through other, genuine Internet systems:
The attacker sends a packet to a well-connected system and forges the source address to look like the packet is coming from the target of his attack. The packet may request a connection to be established (SYN).
That system receives the packet and replies (to the target, not to the actual source) with a SYN+ACK response.
The target is now being attacked by an innocent system.
The flow of data from the attacker to the systems being used for reflection is usually low in volume, low enough not to motivate their owners to investigate the origin. The combined power of traffic against the target can be devastating. These types of attacks are usually distributed and are known as distributed reflection denial of service (DRDoS) attacks (the concept of such attacks is illustrated in Figure 5-4). Steve Gibson wrote a follow-up to his story on DoS attacks, including coverage of DRDoS attacks:
The Gibson Research Corporation's "Distributed Reflection Denial of Service" page (http://www.grc.com/dos/drdos.htm).
Figure 5-4. Distributed reflection denial of service attack
Self-Inflicted Attacks
Administrators often have only themselves to blame for service failure. Leaving a service configured with default installation parameters is asking for trouble. Such systems are very susceptible to DoS attacks and a simple traffic spike can imbalance them.
Badly Configured Apache
One thing to watch for with Apache is memory usage. Assuming Apache is running in prefork mode, each request is handled by a separate process. To serve one hundred requests at one time, a hundred processes are needed. The maximum number of processes Apache can create is controlled with the MaxClients directive, which is set to 256 by default. This default value is often used in production and that can cause problems if the server cannot cope with that many processes.
Figuring out the maximum number of Apache processes a server can accommodate is surprisingly difficult. On a Unix system, you cannot obtain precise figures on memory utilization. The best thing we can do is to use the information we have, make assumptions, and then simulate traffic to correct memory utilization issues.
Looking at the output of the ps command, we can see how much memory a single process takes (look at the RSZ column as it shows the amount of physical memory in use by a process):
# ps -A -o pid,vsz,rsz,command
PID VSZ RSZ COMMAND
3587 9580 3184 /usr/local/apache/bin/httpd
3588 9580 3188 /usr/local/apache/bin/httpd
3589 9580 3188 /usr/local/apache/bin/httpd
3590 9580 3188 /usr/local/apache/bin/httpd
3591 9580 3188 /usr/local/apache/bin/httpd
3592 9580 3188 /usr/local/apache/bin/httpd
In this example, each Apache instance takes 3.2 MB. Assuming the default Apache configuration is in place, this server requires 1 GB of RAM to reach the peak capacity of serving 256 requests in parallel, and this is only assuming additional memory for CGI scripts and dynamic pages will not be required.
* * *
Tip
Most web servers do not operate at the edge of their capacity. Your initial goal is to limit the number of processes to prevent server crashes. If you set the maximum number of processes to a value that does not make full use of the available memory, you can always change it later when the need for more processes appears.
* * *
Do not be surprised if you see systems with very large Apache processes. Apache installations with a large number of virtual servers and complex