Apache Patches "Apache Killer" DoS Bug

By Fahmida Y. Rashid  |  Posted 2011-08-30

Apache has patched its Web server software to close the vulnerability that could result in a denial of service attack disabling the server.

Apache 2.2.20 released Aug. 30 plugs the hole used by the Perl script "Apache Killer" that could be used to cripple Web servers. Project developers originally promised the fix "within 48 hours" on Aug. 24, and then extended the time by another 24 hours two days later. The final security advisory did not explain why the fix took six days instead of the promised two.

The fix reductes the amount of memory used by HTTP requests and "weeds out or simplies" requests that can be potentially too "unwieldy" for the Web server to handle, according to the advisory.

"We consider this release to be the best version of Apache available, and encourage users of all prior versions to upgrade," Tuesday's advisory stated.

While the bug has been patched, Apache's developers said part of the problem lies in

how the HTTP protocol handles large requests. The issue is being discussed within the International Engineering Task Force, a standards body, in order to change the protocol, Apache said.

"The Apache team should be applauded for testing and releasing an important security fix so quickly," Chet Wisniewski, a security researcher with Sophos, wrote on the Naked Security blog.

The issue existed in both Apache 2.2 and Apache 1.3, but the fix addresses only the 2.2 branch. Apache decided not to update the older 1.3 branch because that version is no longer being supported. Apache powers 65.2 percent of all Web servers currently in use, according to statistics from Netcraft, but it's not clear how many of them are running Apache 1.3.

Apache had published in the original advisory several mitigation paths for administrators to deploy as a workaround to the bug. Experts from F5 Networks also suggested that administrators modify the HTTP profile to remove the "Range" header entirely. F5 said customers can use the company's iRules tools to scrub headers if there are too many ranges inserted inside the header, as well as using the company's firewall tool to block the attacks.

Other security vendors also released tools that can protect customers from the Apache Killer tool and other attacks. Sourcefire's Vulnerability Research Team published a new rule to specifically detect the exploit for its Snort and IPS tools. Incapsula, a subsidiary of Imperva, said its customers are protected.

Rocket Fuel