Not logged in
Log in now
Create an account
Subscribe to LWN
LWN.net Weekly Edition for June 20, 2013
Pencil, Pencil, and Pencil
Dividing the Linux desktop
LWN.net Weekly Edition for June 13, 2013
A report from pgCon 2013
Of course you can request a lot of data with a simple request, but just repeatedly downloading the same large file will have the same effect.
There is also no reason for such requests to require any unusual amount of resources, so it looks like the issue lies wholly in Apache's evidently poor implementation.
Apache range request denial of service
Posted Sep 11, 2011 6:14 UTC (Sun) by dlang (✭ supporter ✭, #313)
also, as separate requests, each one will get logged so it will be obvious that you have lots of requests from one source. as multiple overlapping ranges, you won't get any log message until everything is complete.
I see this as primarily a HTTP protocol bug that apache ends up being especially inefficient at handling, but to a large degree all other servers should be vulnerable as well.
but the idea that you can DOS apache is far from new, this is just one additional method of doing so.
Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds