If you are a frequent reader of this blog, you are more or less already familiar with denial-of-service (DoS) attacks. Such an attack typically targets specific systems or servers and “floods” it with information in order to prevent legitimate users from accessing information or services.
This time around, we observed a DoS attack exploiting a specific vulnerability. This is different from the usual known DoS attack methods. DoS attacks are typically done by flooding the target site with traffic (SYN flooding, UDP flooding, ICMP flooding). What makes this attack noteworthy, however, is that it does not require the use of a huge amount of traffic. All the attacker has to do is to send the especially crafted HTTP request, which will render the site inaccessible.
We recently did a deeper analysis of the said vulnerability (CVE-2011-3192) found in certain versions of Apache HTTP Server that allows a remote attacker to conduct a DoS attack by sending a small HTTP request.
The vulnerability exists in the byterange filter in Apache HTTP Server 1.3.x, 2.0.x through 2.0.64 and 2.2.x through 2.2.19. It can be exploited by a range header that expresses multiple overlapping ranges. The proof of concept for the exploit that abuses this vulnerability was published in August. A tool that conducts DoS attacks by exploiting this vulnerability was later created and dubbed as the “Apache Killer.” Apache already patched this security hole last week.
A typical attack scenario exploiting this vulnerability involves sending an HTTP request with multiple range:bytes header to the Apache server.
Once the server receives the said request, it will create each bucket as a number of crafted range:bytes HTTP header items and insert a bucket-to-bucket brigade. This will cause heightened memory consumption and, eventually, a DoS.
Web administrators who use Apache HTTP Server are advised to apply the patch as soon as possible. While patch management for vulnerability remediation can be a painful exercise for IT departments, Trend Micro Deep Security shields systems from threats that may leverage vulnerabilities in systems until patches become available and are deployed. Trend Micro provides protection against threats leveraging this vulnerability through Deep Security, specifically rule VSU11-026 (1004782 – Apache httpd Range Header Remote Denial Of Service).