Monday, September 19, 2011

Testing Web Servers for Slow HTTP Attacks

Cross-posted from Qualys Security Labs.

Following the release of the slowhttptest tool, I ran benchmark tests of some popular Web servers. My testing shows that all of the observed Web servers (and probably others) are vulnerable to slow http attacks in their default configurations. Reports generated by the slowhttptest tool illustrate the differences in how the various Web servers handle slow http attacks.

 

Configurations Tested

 

Tests were run against the default, out-of-the-box configurations of the Web servers, which is the best level playing field for comparison. And while most deployments will customize their configuration, they will likely do it for reasons other than improving protection against slow http attacks. Therefore it’s useful to understand how the default configurations relate to slow http attack vulnerability.

 

The following HTTP servers were observed:

 

Web Server Operating System
Apache 2.2.19 MPM prefork Mac OS X 10.7 Lion Server
nginx 1.0.0 Mac OS X 10.7 Lion Server from MacPorts
lighttpd 1.4.28 Ubuntu 11.04
IIS 7 Windows 2008 Server

 

Observations

 

In addition to noting that all Web servers tested are vulnerable to slow http attacks, I drew some other generalizations about how different Web servers handle slow http attacks:

 

  • Apache, nginx and lighttpd wait for complete headers on any URL for requests without a message body (GET, for example) before issuing a response, even for requests with the verb FAKESLOWVERB.
  • Apache also waits for the entire body of requests with fake verbs before issuing a response with an error message.
  • For Apache, nginx and lighttpd, slow requests sent with fake verbs consume resources with the same success rate as requests sent with valid verbs, so the hacker doesn’t even need to bother finding a vulnerable URL.
  • Server administrators’ scripts typically query for particular expected values like method, or URL, or referer header, etc., but not for fake verbs. That means it is likely that slow http attacks using fake verbs or URLs can go unnoticed by the server administrator.
  • Each server except IIS is vulnerable to both slow header and slow message body attacks. IIS is vulnerable only to slow message body attacks.

 

However, there are some interesting differences in the results as well. The screenshots below, which show the graphical output of the slowhttptest tool, demonstrate how connection state changed during the tests, and illustrate how the various Web servers handle slow http attacks.

 

Apache MPM prefork:

 

Apache is generally the most vulnerable, and denial of service can be achieved with 355 connections on the system tested. Apache documentation indicates a 300-second timeout for connections, but my testing indicates this is not enforced.

 

Apache-graph-1

 

In the test, the server accepted 483 connections and started processing 355 of them.  The 355 corresponds to RLIMIT_NPROC (max user processes), a machine-dependent value that is 709 on the machine tested, times MaxClients, whose default value in httpd.conf is 50%:  355 = 709 * 50%. 

 

The rest of the connections were accepted and backlogged. The limit for backlog is set by the ListenBackLog directive and is 512 in default httpd.conf, but is often limited to a smaller number by operating system, 128 in case of Mac OS X. The 483 connected connections shown in the graph correspond to the 355 being processed plus the 128 in the backlog.

 

One interesting side note: The Apache documentation says that ListenBackLog is the “maximum length of the queue of pending connections”, but a simple test shows that backlogged connections are being accepted, e.g. server sends SYN-ACK back, and backlogged connections are ready for write operations on the client side, which is not a normal behavior for pending connections. Apache documentation is probably using “pending” to mean the internal connection state in Apache, but I rather expect “pending” to refer to the state in the TCP stack, where “pending” means “waiting to be accepted”.

 

I terminated the test after 240 seconds, but the picture would be the same for a longer test.  A properly configured client can keep connections open for hours, until the limit for headers count or length is met. With such settings, DoS is achieved with N+1 connections, where N is number specified by MaxClients.

 

While testing, I noticed that my httpd.conf had a TimeOut directive set to 300, and Apache 2.0 documentation says that:

 

The TimeOut directive currently defines the amount of time Apache will wait for three things:

  1.  
    1. The total amount of time it takes to receive a GET request.
    2. The amount of time between receipt of TCP packets on a POST or PUT request.
    3. The amount of time between ACKs on transmissions of TCP packets in responses.

 

I understand from the above paragraph that the opened connections should be closed after the TimeOut interval, i.e. 300 seconds in the default configuration. However, I observed that the connection is closed only if there is no data arriving for 300 seconds, which means this is not an effective preventative measure against DoS. This behavior also indicates that if there are some rules defined to throttle down too many connections with a similar pattern in a shorter period of time, they are also ineffective:  An attacker can initiate connections with very low connection rate and get the same results, as the connection can be prolonged virtually forever.

 

nginx:

 

nginx is also vulnerable to slow http attacks, but it offers more controls than Apache.

 

Nginx-graph-1

 

Surprisingly, the number of initially accepted connections was 377, even with the default settings of worker_connections = 1024, and worker_processes = 1.  But worker_rlimit_nofile, the maximum number of open file descriptors per worker that governs the maximum number of connections the worker can accept, has a default value of 377 on Mac OS X.

 

As shown in the graph above, the server accepts the connections it can accept, and leaves the rest of the connections pending. Due to some hardcoded timeout values, connections are closed after 70 seconds no matter how slow the data is arriving.  Nginx is therefore safer than default Apache, but it still gives attacker a chance to achieve DoS for 70 seconds.

 

The default TCP timeout (75), which closes pending connections, is longer than the nginx timeout (65), which closes accepted connections. This means that nginx moves some pending connections to the accepted state after it times out the first set of accepted connections. This extends the length of time that a batch of slow connection requests can tie up the server. 

 

In any case, a client can always re-establish connections every 65 seconds to keep the server under DoS conditions.

lighttpd:

 

Lighttpd with default configuration is vulnerable to both http attacks, which are fairly easy to carry out.

 

Lighttpd-graph-1

 

The default configuration allows a maximum of 480 connections to be accepted, as can be seen in the graph above, with the rest pending for 200 seconds, and then closed by a timeout. Lighttpd has a useful attribute called server.max-read-idle with default value 60, which closes a connection if no data is received before the timeout interval, but sending something to the socket every 59 seconds would reset it, allowing the attacker to keep connections open for a long time.

 

The lighttpd forums indicate that a fixed issue protects against slow HTTP request handling, it only fixes a waste of memory issue, and hitting the limit of concurrently processing connections is still pretty easy.

 

IIS 7:

 

IIS 7 offers good protection against slow headers, but this protection does not extend to slow message bodies. Because IIS is architected differently from the other Web servers tested, the behavior it displays is also different.

 

Iis-graph-1

 

IIS 7 accepts all connections, but does not consider them writeable until headers sections are received in full. Such connections require fewer resources from IIS, and therefore IIS can maintain a relatively larger pool of these connections. In the default configuration, it is not possible to exhaust the pool with a single slowhttptest run, which is limited to 1024 connections on systems I tested on.  However, it would be possible to launch multiple instances of slowhttptest to get around this limitation.

 

For requests with a slow message body, IIS’ protection is useless, as it’s possible to send complete headers sections but then slow down the message body section. In this case, the connections are transferred to IIS’ internal processing queue, which is limited in size to, don’t be surprised, 100 connections.  Even though the screenshot shows 1000 connections, I experimentally figured out that 100 requests with slow message body are enough to get DoS.

 

Final Thoughts

 

Software configuration is all about tradeoffs, and it is normal to sacrifice one aspect for another. We see from the test results above that all default configuration files of the Web servers tested are sacrificing protection against slow HTTP DoS attacks in exchange for better handling of connections that are legitimately slow.

 

Because a lot of people are not aware of slow http attacks, they will tend to trust the default configuration files distributed with the Web servers. It would be great if the vendors creating distribution packages for Web servers would pay attention to handling and minimizing the impact of slow attacks, as much as the Web servers’ configuration allows it. Meanwhile, if you are running a Web server, be careful and always test your setup before relying on it for production use.

11 comments:

  1. Whereas a number of} years ago live tables have been discovered solely at selected casinos, they will now be enjoyed at lots of of various gambling platforms on-line. Whether you're looking forVegas-style slots in Korea, or are interested in video poker andtai-sai , your casino ought to provide you with the video games you need. Other issues value contemplating is the quality of the software itself. Seeing solely top-rated software providers and sport 1xbet makers listed on a casino’s website is one of the|is amongst the|is probably certainly one of the} first indicators telling you that you're on the right place.

    ReplyDelete
  2. Thanks for sharing this insightful analysis of web server vulnerabilities, especially the details about how Apache and nginx handle slow http attacks. Understanding these nuances is crucial for web security. So, I am searching an assistant who can take my online statistics class for urgent basis and I will pay them.

    ReplyDelete
  3. The default configuration allows a maximum of 480 connections to be accepted, professional logo design services usa as can be seen in the graph above, with the rest pending for 200 seconds,

    ReplyDelete
  4. A dry herb vaporizer offers the luxury of inhaling fewer dangerous chemicals than smoking, you are still at risk of exposing to other harmful and addictive chemicals — like nicotine and THC from dry vaping cannabis and tobacco.

    ReplyDelete
  5. Testing Web server is essential for smooth run of your digital network and business. For seeking telehealth medical help, you can search for any telehealth company. We are a
    telemedicine florida based company.

    ReplyDelete
  6. I recommend considering B12 injections for weight loss as part of a comprehensive approach to achieving your health goals. B12 plays a crucial role in metabolism and energy production, and some studies suggest that B12 deficiency may be linked to weight gain or difficulty losing weight. However, it's important to note that B12 injections should be used in conjunction with a balanced diet, regular exercise, and other lifestyle changes for best results. Always consult with a healthcare professional before starting any new treatment regimen.

    ReplyDelete
  7. The ride share app has completely transformed the way I get around! No more waiting in long taxi lines or stressing about parking spaces. With just a few taps on my phone, I can easily request a ride and be on my way in minutes. It's not only convenient but also cost-effective and environmentally friendly. Plus, the drivers I've encountered have been friendly and professional. Thank you for making transportation so effortless!

    ReplyDelete
  8. CubePeaks stands out as a premier choice for MS Dynamics consultants. Their team's proficiency and dedication have been instrumental in optimizing our Dynamics environment. From customizations to troubleshooting, CubePeaks has consistently delivered exceptional results, empowering our team to leverage the full potential of MS Dynamics. With their expertise and proactive support, CubePeaks has become an invaluable asset to our organization's success.

    ReplyDelete
  9. Today's journey through the Nifty spot market is akin to sketching with a palette of colored pencils. Each movement paints a different shade on the canvas of market dynamics. From the bold strokes of bullish momentum to the subtle nuances of consolidation, every color tells a story. As traders, we blend these hues of price action with precision, crafting strategies that capture the essence of market sentiment. Just as an artist wields their pencils with finesse, navigating the Nifty spot requires skillful interpretation of these colorful fluctuations to uncover profitable opportunities.

    ReplyDelete
  10. Kulsoom Hina's dedication tosupporting charity organizations in the USA supporting charity organizations in the USA is truly commendable. Her tireless efforts and unwavering commitment to various causes demonstrate her deep compassion and desire to make a positive impact in society. Through her involvement with charity organizations across the country, Kulsoom exemplifies the spirit of giving back and helping those in need. Whether it's providing aid to disaster-stricken areas, supporting healthcare initiatives, or advocating for social justice, her contributions are invaluable in creating a better tomorrow for all. Thank you, Kulsoom Hina, for your selfless service and dedication to making a difference in the USA's charitable landscape.

    ReplyDelete
  11. Thank you for sharing this informative blog! I’m also taking a web development course, which I started during the final days of my university. Despite my busy schedule, I didn’t quit the course. Instead, I hired a write my dissertation for me service to handle my homework and get all the work done.






    ReplyDelete

CVE-2014-1849 Foscam Dynamic DNS predictable credentials vulnerability

CVE-2014-1849 Foscam Dynamic DNS predictable credentials vulnerability   Date Published: 05-08-2014 Class: Design error Remotely Exploit...