On Thu, 2002-12-19 at 11:03, Sergey Strakhov wrote: > Hello, > > We are experiencing problems with our Win32 Apache 1.3.27 with mod_ssl > 2.8.12 + openssl 0.9.6g running on Windows 2000. > It is a sort of DoS attack that makes our web site totally inaccessible. > > One of those attacks was captured with Ethereal. The dump is attached. > > As you can see, the attack is accomplished through both HTTP (80) and > HTTPS (443) ports. > First, the connection is opened to the HTTP port and a malformed > HTTP/1.1 GET request (with no Host: header) is sent to the HTTP port > (probably with an intention to produce a crash described in > http://www.cert.org/advisories/CA-2002-27.html or just to determine the > host's Server version). The server responds with "HTTP/1.1 400 Bad > request" and closes the connection. After that the attacker starts > opening connections to the HTTPS port. One of them is used to send SSLv2 > Client Hello request. From this point the web server starts rejecting > all incoming connections and the web site stops responding on both HTTP > and HTTPS ports. > > The error log usually contains records like: > > [..time..] [error] [client ..] client sent HTTP/1.1 request without > hostname (see RFC2616 section 14.23): / > [..time..] [error] Server ran out of threads to serve requests. Consider > raising the ThreadsPerChild setting > > Is this problem related to mod_ssl anyhow? > Do you expect any fix for this problem soon? > > Regards > > P.S. We have the ThreadsPerChild parameter of httpd.conf set to 10. >
Your code is very much out of date ... it is exploitable and DOSable I saw many people in the summer describe similar reports as yours, prompting me to build Apache binaries for many of those that were suffering. You cannot continue to run with openssl 0.9.6g -- openssl 0.9.6h is the current version. My advice is do not waste your time trying to understand it. You can get reliable up-to-date binaries from me ;) Other people are downloading the binaries as well. http://hunter.campbus.com/ Apache_1.3.27-Mod_SSL_2.8.11-OpenSSL_0.9.6h-Win32.zip http://hunter.campbus.com/Openssl-0.9.6h-Win32.zip http://hunter.campbus.com/Apache_2.0.43-OpenSSL_0.9.6h-Win32.zip You can also get them from my server ... md5's are avaialble from my server as well. http://tor.ath.cx/~hunter/ Apache_1.3.27-Mod_SSL_2.8.11-OpenSSL_0.9.6h-Win32.zip http://tor.ath.cx/~hunter/Openssl-0.9.6h-Win32.zip http://tor.ath.cx/~hunter/Apache_2.0.43-OpenSSL_0.9.6h-Win32.zip You are welcome to contac me directly h u n t e r @ t o r . a t h . c x If you need instructions on how to rebuild the code, I have to look for them - they are messy (for Apache2) and can be found in the archives - search for 'apache hunter masm' -- apache 1.3.27 is easy to build let me know if you need help. hunter ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
