Wednesday, August 24, 2011

Temporary fix for Apache Killer

Update (September 07): Apache released version 2.2.20 to fix this issue.

Update (August 26): Request-Range header needs blocked as well.

A few days ago KingCope published a small Perl script to launch DoS attack against Apache HTTPD. The problem is it is too efficient for its own good. I had a good time playing with it and came to some pointers that might help others.
  1. Make sure that your MPM settings are appropriate for your server resources. For example, you should not expect a 256MB RAM server to run 100 instances of Apache.
  2. Disable DEFLATE output filter with RemoveOutputFilter DEFLATE.
  3. Disable Partial Content with headers_module RequestHeader unset Range.
You will lose some features such as resuming download or GZip encoding. But this is definitely better than iptables packet inspection on every single packet as someone suggested.

No comments:

Post a Comment