Apache has promised a patch in the "next 96 hours" to fix the vulnerability that exposes Web servers running the Apache software to denial of service attacks.
A denial-of-service tool that exploits a security flaw in the Apache
Web server software is available in the wild. The Apache team is
working on a fix and is expected to roll it out over the next few days.
Called "Apache Killer," the DoS tool appeared Aug. 19 on the "Full
Disclosure" security mailing list. The Apache Software Foundation
acknowledged on Aug. 24 that the vulnerability the tool targets
existed, and promised a fix for Apache 2.0 and 2.2 "in the next 96
Apache is the most widely used Web server software in the world,
accounting for 65.2 percent of all such software currently in use,
according to United Kingdom-based security consultancy Netcraft. The
Apache team said all versions of the software in the 1.3 and 2.0 lines
have the DoS bug and are vulnerable to attack. Apache 1.3 is no longer
supported and administrators should have moved on to more recent
"An attack tool is circulating in the wild. Active use of this tool has been observed," according to a security advisory from the Apache project
The Web server software has a flaw in how multiple overlapping HTTP
ranges are handled, the team said in the security advisory. The attack
can be launched remotely and a "modest number of requests" can consume
significant amounts of memory and CPU on the server, according to the
The bug was first reported in 2007 on the bugtraq Website by Michal
Zalewski, a Google security engineer. Zalewski had said at the time
that launching a DoS attack taking advantage of the flaw would be
"A lone, short request can be used to trick the server into firing
gigabytes of bogus data into the void, regardless of the server file
size, connection count, or keep-alive request number limits implemented
by the administrator. Whoops?" he wrote in the initial report.
A researcher under the name of Kingcope posted about the bug on Full
Disclosure last week. The post was accompanied by a Perl script to
execute an attack that could exhaust the memory of a remote Apache
server "rather quickly," Ryan Barnett, senior security researcher at
Trustwave wrote on the SpiderLAbs Anterior
blog Aug. 24.
When executed, the script sends malicious HTTP Range Request headers
for large amounts of data. Apache breaks up large requests in smaller
chunks, but the malicious request is sizeable enough that system
resources get tied up processing each of the chunks, according to
"It appears due to its lack of sophistication, that it did not get
much attention by Apache developers and it has remained unpatched all
of this time," said Kevin Shortt, an incident handler at SAN
Institute's Internet Storm Center.
Trustwave added new rules to ModSecurity, a widely deployed Web
application firewall, to mitigate the attack. The new ModSecurity rules
are not intended to be a permanent fix, but a temporary measure as "the
core issue should certainly be addressed within the Apache code
itself," Barnett said.
Apache recommended that administrators "investigate whether they are
vulnerable" to the DoS attack and provided several mitigation steps to
protect Web servers until a patch is available.
Administrators can use mod_headers to disallow range headers
altogether or use mod_rewrite to limit the number of ranges that are
being handled, according to the advisory. However, mod_headers may
break certain clients, such as those used by e-Readers and streaming
Web video streaming.
They can also deploy a range header count module as a temporary
stopgap measure or limit the size of the request field to a few hundred
bytes to keep the Range header short. The change may affect sizable
cookies and security fields. As threats evolve, the request field may
need to be further limited, the team warned. It may also be possible to
disable compression on the fly, by removing mod_deflate as a loaded
module, according to the security advisory.
Administrators running a Mac-based server with Apache will have to
wait for Apple to deliver a patch because that version of the Web
Server is bundled inside Mac OS X and maintained by the operating