User: Password:
Subscribe / Log in / New account

Apache range request denial of service

Apache range request denial of service

Posted Sep 10, 2011 21:51 UTC (Sat) by slashdot (guest, #22014)
Parent article: Apache range request denial of service

Where's the issue?

Of course you can request a lot of data with a simple request, but just repeatedly downloading the same large file will have the same effect.

There is also no reason for such requests to require any unusual amount of resources, so it looks like the issue lies wholly in Apache's evidently poor implementation.

(Log in to post comments)

Apache range request denial of service

Posted Sep 11, 2011 6:14 UTC (Sun) by dlang (subscriber, #313) [Link]

if they are done as separate requests an external firewall or load balancer will see all the individual requests and can throttle them.

also, as separate requests, each one will get logged so it will be obvious that you have lots of requests from one source. as multiple overlapping ranges, you won't get any log message until everything is complete.

I see this as primarily a HTTP protocol bug that apache ends up being especially inefficient at handling, but to a large degree all other servers should be vulnerable as well.

but the idea that you can DOS apache is far from new, this is just one additional method of doing so.

Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds