Hey guys, First of all thanks for bringing such a good software as Apache. We're now facing a big problem, that we expect you to patch ASAP : it's a public full disclosure, and it affect any Apache infrastructure environnement, please read this up : http://milw0rm.com/exploits/8976 Everyone is affected, and vulnerable to a such attack. Plz feed up regarding this bug. Thanks a bunch.
First: If you really want to report a security issue NEVER do it here in the public, but sent a mail to security@httpd.apache.org to handle this matter in a confidential way. Second: We are aware of this and it is an old hat and expected. Please have a look here: https://issues.apache.org/bugzilla/show_bug.cgi?id=47386
Don't follow Rudiger's link, it's cyclic. Every network application is affected by such attacks, this is a protocol level issue. It occurs at the network layer, not the application layer, as demonstrated by the fact that AcceptFilter in httpd has no impact on the attack. The solution, like the problem, lies in the network layer. See iptables and similar network stack filters to provide protection against this vector.
(In reply to comment #1) > First: If you really want to report a security issue NEVER do it here in the > public, but sent a mail to security@httpd.apache.org to handle this matter in a > confidential way. > Second: We are aware of this and it is an old hat and expected. Please have a > look here: https://issues.apache.org/bugzilla/show_bug.cgi?id=47386 Ahrggg. My bad. Copy and paste error. Thanks for pointing it out Bill. This is the correct link: http://httpd.apache.org/docs/trunk/misc/security_tips.html#dos
sorry for repoening this but could you please tell me how to security_tips.html#dos could help in the case you open a connection and send every few seconds a new header?
This can be mitigated with mod_reqtimeout (usable since 2.2.17)