There is a major thread running on the openssl list about this very thing (Slapper worm)... Starts here:
http://www.mail-archive.com/[email protected]/msg29762.html Rgds, Owen Boyle >-----Original Message----- >From: Sergey Strakhov [mailto:[EMAIL PROTECTED]] >Sent: Donnerstag, 19. Dezember 2002 17:04 >To: [EMAIL PROTECTED] >Cc: Pedro Nascimento; Greg Davydouski >Subject: DoS attack on mod_ssl 2.8.12 ?? > > >Hello, > >We are experiencing problems with our Win32 Apache 1.3.27 with mod_ssl >2.8.12 + openssl 0.9.6g running on Windows 2000. >It is a sort of DoS attack that makes our web site totally >inaccessible. > >One of those attacks was captured with Ethereal. The dump is attached. > >As you can see, the attack is accomplished through both HTTP (80) and >HTTPS (443) ports. >First, the connection is opened to the HTTP port and a malformed >HTTP/1.1 GET request (with no Host: header) is sent to the HTTP port >(probably with an intention to produce a crash described in >http://www.cert.org/advisories/CA-2002-27.html or just to determine the >host's Server version). The server responds with "HTTP/1.1 400 Bad >request" and closes the connection. After that the attacker starts >opening connections to the HTTPS port. One of them is used to >send SSLv2 >Client Hello request. From this point the web server starts rejecting >all incoming connections and the web site stops responding on both HTTP >and HTTPS ports. > >The error log usually contains records like: > >[..time..] [error] [client ..] client sent HTTP/1.1 request without >hostname (see RFC2616 section 14.23): / >[..time..] [error] Server ran out of threads to serve >requests. Consider >raising the ThreadsPerChild setting > >Is this problem related to mod_ssl anyhow? >Do you expect any fix for this problem soon? > >Regards > >P.S. We have the ThreadsPerChild parameter of httpd.conf set to 10. > > This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
