Trend Micro researcher spots low-traffic DDoS attack vector

Kim Chanwoo says he has observed a DDoS attack that uses a low traffic methodology to exploit a specific HTTP vulnerability in the Apache server software.

DDoS attacks, he explains, are typically carried out by flooding the target site with traffic – e.g. SYN flooding, UDP flooding, ICMP flooding – but makes this particular attack noteworthy is that it does not require the use of a huge amount of traffic.

“All the attacker has to do is to send the especially crafted HTTP request, which will render the site inaccessible”, he says in his latest security posting.

Chanwoo and his team carried out a deeper analysis of the vulnerability (CVE-2011-3192) found in certain versions of Apache HTTP Server, and which allows a remote attacker to conduct a DDoS attack by sending a small HTTP request.

The vulnerability, he asserts, exists in the byte-range filter in Apache HTTP Server 1.3.x, 2.0.x - 2.0.64 and 2.2.x - 2.2.19, and can be exploited by a range header that expresses multiple overlapping ranges.

The proof of concept for the exploit that abuses this vulnerability was published in August, he adds, noting that a tool that conducts DDoS attacks by exploiting this vulnerability was later created and dubbed the Apache Killer – the good news, Infosecurity notes, is that Apache has patched this security hole last week.

“A typical attack scenario exploiting this vulnerability involves sending an HTTP request with multiple range:bytes header to the Apache server. Once the server receives the said request, it will create each bucket as a number of crafted range:bytes HTTP header items and insert a bucket-to-bucket brigade. This will cause heightened memory consumption and, eventually, a denial of service attack,” he notes.

According to Chanwoo, web administrators that use Apache HTTP Server are advised to apply the patch as soon as possible.


What’s hot on Infosecurity Magazine?