LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Apache range request denial of service

Apache range request denial of service

Posted Sep 11, 2011 6:14 UTC (Sun) by dlang (✭ supporter ✭, #313)
In reply to: Apache range request denial of service by slashdot
Parent article: Apache range request denial of service

if they are done as separate requests an external firewall or load balancer will see all the individual requests and can throttle them.

also, as separate requests, each one will get logged so it will be obvious that you have lots of requests from one source. as multiple overlapping ranges, you won't get any log message until everything is complete.

I see this as primarily a HTTP protocol bug that apache ends up being especially inefficient at handling, but to a large degree all other servers should be vulnerable as well.

but the idea that you can DOS apache is far from new, this is just one additional method of doing so.

(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds