You can legitimately ask for hundreds of very large overlapping parts of a file in a single request. ... A relatively modest number of requests can tie a server's CPU and memory in knots.
Mark Stockley, Web Consultant, Sophos
A new version of the Apache open source Web server, which runs 65% of the world’s websites, has been issued to disable a vulnerability that exposed it to a potential distributed denial-of-service (DDoS) attack.
In an Aug. 31 announcement, the Apache Software Foundation and the Apache HTTP Server Project said they had released version 2.2.20 of the Apache HTTP Server in order to fix the flaw, identified last week. “We consider this release to be the best version of Apache available, and encourage users of all prior versions to upgrade,” the announcement said.
The new version was produced quickly because a tool that exploits the vulnerability (CVE-2011-31092 at cve.mitre.org) was identified in the wild.
Sophos Web Consultant Mark Stockley wrote on the Sophos Labs Naked Security blog that the vulnerability would allow attackers to mount an Apache DDoS attack without having masses of computing firepower at their disposal.
The vulnerability can be exploited by a feature in Web servers that allows users to pause and resume their downloads. As Stockley described it: “You can legitimately ask for hundreds of very large overlapping parts of a file in a single request. Enough parts that a relatively modest number of requests can tie a server's CPU and memory in knots.”
He noted this is partly due to a weakness in the HTTP protocol, meaning other Web servers might also be vulnerable.
The new version of Apache reduces the amount of memory used by range requests, and, if the total bytes of a file requested exceed the total file size, httpd (the Apache HTTP daemon that monitors incoming requests) will return the entire file.
Network administrators are strongly advised to update their systems immediately. Also writing on the Sophos blog, Senior Security Advisor Chester Wisniewski observed: “Many Linux and Unix administrators ‘set and forget’ their installations and never bother to look after their servers. The Apache team should be applauded for testing and releasing an important security fix so quickly. Now it is up to you, the IT administrators, who are using Apache to follow through and apply these fixes.”