Defending Against The 'Apache Killer' Exploit
An HTTP attack emerged this week against Apache Web servers; but just because there is an attack in the wild, doesn't mean you have to be defenseless.
The Apache HTTP web server is the most widely deployed Web server on the Internet today and it's at risk from a serious denial of service (DoS) attack.
The 'Apache Killer' tool is now out in the wild enabling attackers to consume all of the memory on a Web server creating a DoS condition. Apache has issued multiple security advisories on the issue and are planning on releasing a patch this weekend.
"A denial of service vulnerability has been found in the way the multiple overlapping ranges are handled by the Apache HTTPD server," Apache warned in its latest advisory. "The attack can be done remotely and with a modest number of requests can cause very significant memory and CPU usage on the server."
Apache also warns that the default Apache HTTPD installation is vulnerable.
While Apache Web servers are vulnerable by default, that doesn't mean that there aren't defenses against the attack. One of those defenses is by using an intrusion prevention system (IPS) like Snort. Like Apache, Snort is open source and available for free.
"The Snort engine's HTTP Inspect preprocessor has an option to detect oversized HTTP headers, one of the key pieces of the Apache Killer tool," Alex Kirk, senior research analyst with the Sourcefire Vulnerability Research Team(VRT) told InternetNews.com.
Kirk explained that since most HTTP headers are a few hundred bytes at most, quite often when you see extremely long headers, a buffer overflow attack is under way. The HTTP Inspect preprocessor in Snort is not a new piece of technology either, and it predates the release of the 'Apache Killer' tool.
The idea behind having the preprocessor alert was to catch these sorts of attacks in one central point, instead of needing rules for each and every HTTP header that could be attacked.
"While the underlying mechanism with Apache Killer is not a buffer overflow, the fact that it generates "Range:" headers around 2,000 bytes long means that looking for this type of anomaly picks it up," Kirk said.
In addition to the built-in preprocessor, there is now also a new Snort rule that specifically detects the Apache Killer.
Kirk noted that the Apache Killer is similar in some respects to a classic overflow. In a buffer overflow, a large chunk of data is copied into the program's memory without bounds checking, and vital pieces of memory are overwritten enabling the attacker to take control.
"This bug simply overloads Apache with a huge number of requests that, sent independently, would be perfectly valid, and causes resource exhaustion that leads to the target machine becoming unavailable," Kirk said. "So while this is important, particularly for sites that need high availability like financial institutions, it could be a lot worse, since this bug can't be used to break into a network."
In addition to using an IDS like Snort to help prevent attack, the Apache Project has provided a number of workarounds in their advisories. One such suggestion from Apache is to use the SetEnvIf or mod_rewrite module to detect a large number of ranges. If a large number of ranged come in the system can be configured to simply ignore the Range header or reject the request. Additionally, Apache suggests that server administrators should limit the size of the request field to a few hundred bytes.