Apache Security - Ivan Ristic [68]
Cyber-Activism
High-tech skills such as programming are not needed to perform DoS attacks. Cyber-activism is a new form of protest in which people perform virtual sit-ins that block web sites using only their browsers and a large number of activists. These attacks are also known as coordinated denial of service attacks.
Activists will typically advertise virtual sit-ins days in advance so if you are hosting a web site of a high-profile organization you may have time to organize a defense. To learn more about cyber-activism, read the following pages:
"Cyber Activists bring down Immigration web site," Scoop Media, January 2004 (http://www.scoop.co.nz/mason/stories/WO0401/S00024.htm)
"Econ Forum Site Goes Down," Wired News, January 2001 (http://www.wired.com/news/politics/0,1283,50159,00.html)
Activist web sites often publish the numbers of how many people participated in a virtual sit-in. These numbers will give you an excellent idea as to how many hits you can expect against the server, so use them to prepare in advance.
The Slashdot Effect
Slashdot (http://www.slashdot.org) is a popular technology news site. According to the last information published (late 2000, see http://slashdot.org/faq/tech.shtml), it uses 10 servers to serve content. The site publishes articles of its own, but it often comments on interesting articles available elsewhere.
When a link to an external article is published on the home page, large numbers of site visitors jump to read it. A massive surge in traffic to a web site is known as the Slashdot effect (http://en.wikipedia.org/wiki/Slashdot_effect). A site made unresponsive by this effect is said to be slashdotted.
Sites that have been slashdotted report traffic between several hundred and several thousand hits per minute. Although this kind of traffic is out of the ordinary for most sites, it isn't enough to crash a well-configured Apache web server. Sites usually fail for the following reasons:
Not enough bandwidth is available (which often happens if there are screenshots of a product or other large files for download).
Software wants to talk to the database on every page hit, so the database or the CPU is overloaded.
The server is not configured properly, so it consumes too much memory and crashes.
The hardware is not powerful enough to support a large number of visitors, so the server works but too many clients wait in line to be served.
Attacks on Apache
With other types of attacks being easy, almost trivial, to perform, hardly anyone bothers attacking Apache directly. Under some circumstances, Apache-level attacks can be easier to perform because they do not require as much bandwidth as other types of attacks. Some Apache-level attacks can be performed with as few as a dozen bytes.
Less-skilled attackers will often choose this type of attack because it is so obvious.
Apache Vulnerabilities
Programming errors come in different shapes. Many have security implications. A programming error that can be exploited to abuse system resources should be classified as a vulnerability. For example, in 1998, a programming error was discovered in Apache: specially crafted small-sized requests caused Apache to allocate large amounts of memory. For more information, see:
"YA Apache DoS Attack," discovered by Dag-Erling Smørgrav (http://marc.theaimsgroup.com/?l=bugtraq&m=90252779826784&w=2)
More serious vulnerabilities, such as nonexploitable buffer overflows, can cause the server to crash when attacked. (Exploitable buffer overflows are not likely to be used as DoS attacks since they can and will be used instead to compromise the host.)
When Apache is running in a prefork mode as it usually is, there are many instances of the server running in parallel. If a child crashes, the parent process will create a new child. The attacker will have to send a large number of requests constantly to disrupt the operation.
* * *
Tip
A crash will prevent the server from logging the offending request since logging