Workarounds Issued For 'Apache Killer' Attack

'Active use' of attack tool spotted as Apache team spells out mitigation strategies and promises a patch within 24 hours

Aug 25, 2011 | 08:36 PM | 0 Comments

By Kelly Jackson Higgins
Dark Reading
A working proof-of-concept christened the "Apache Killer" released this week uses an as-yet unpatched flaw in the server software that pounds Apache servers with a DDoS attack -- and all it would take is one machine to bring the server to its knees.

The Apache development team late yesterday issued an alert and workarounds in advance of rolling out a patch for the flaw in Apache HTTPD Web Server 1.3 and 2.X. The Apache Killer lets an attacker use a single PC to wage a denial of service attack against an Apache server.

"By sending specially crafted HTTP requests which include malformed range HTTP header, an attacker can disrupt the normal function of the web server, thus disallowing legitimate users to receive responses from the web server," the team's advisory says. "This issue affects all Apache software versions and a patch has not been released yet."

The underlying flaw was apparently first reported on bugtraq in 2007. "It appears due to its lack of sophistication, that it did not get much attention by Apache developers and it has remained unpatched all of this time," wrote Kevin Shortt of the SANS Internet Storm Center, who noted that he had not yet tested the PoC, but planned to.

In an updated advisory posted this morning, the Apache team revealed further exposure of the platform to the attack, and noted that "active use of this tool has been observed."

Meanwhile, vendors were stepping forward today announcing their protections against the Apache Killer attack.

Sourcefire says its IPS and open-source Snort technology have been able to detect this flaw for several years and that its Vulnerability Research Team today beefed up that protection with a new rule specific to the Apache Killer. "A lot of people have been freaking out about the "Apache Killer" tool released on Full-Disclosure last Friday. While it's an effective way to cause a Denial of Service (DoS) against an Apache web server, and readily accessible to your average malfeasant, the good news is you don't need to let your hair catch fire over it, because the VRT had it covered before the tool was even released," blogged Alex Kirk, a member of the Sourcefire VRT.

Trustwave's SpiderLabs earlier this week added protection for the attack to its ModSecurity Web application firewall.

And Imperva subsidiary Incapsula says its Web security service users are shielded from the Apache Killer. "Web sites that are using Incapsula and configured to block illegal resource access attempts are protected from such exploit attempts," according to an Incapsula advisory issued today.

The Apache team promised that a patch or new Apache version for Apache 2.0 and 2.2 would be available this week. "Note that, while popular, Apache 1.3 is deprecated," the advisory says. Meantime, the team offered several workarounds, including limiting the size of the HTTP request field to "a few hundred bytes."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

When your partner's real partner is work, here's what to do.

Sarah Morris Smith used to spend 70 hours a week selling Mary Kay cosmetics while her husband, John, a part-time sales associate at Walgreens, stayed home with their infant daughter. "He always did the housework and cooking," says Smith. "I'm sure he resented doing all those chores."

Smith admits that her workaholism ripped her marriage apart. She and John still live together, though they are legally separated. No longer with Mary Kay, Smith works well into the evenings as a recruiter for nSight, a business consultancy in Burlington, Mass.

"I think we might have had a chance if we had shared hobbies or scheduled time together, but I come home and monopolize the computer," says Smith. "Even down-time is work time. I'm giving him primary custody of our daughter because I know my work habits are not fair to her."

In Pictures: Nine Ways To Survive A Workaholic Spouse

In Pictures: Seven Work-Stress Relievers

Sarah and John's situation is all too common. Addiction to work is a marriage killer: Unions involving workaholics are twice as likely to end in divorce, according to a study by researchers at the University of North Carolina at Charlotte. And for couples that choose to gut it out, the psychological toll can be devastating.

NEW YORK (CNN) -- Seven months have passed since the disappearance and slaying of Santa Barbara, California, college student Brianna Denison.

The 19-year-old undergraduate disappeared while visiting friends at the University of Nevada, Reno.

She was last seen sleeping on the living room sofa near an unlocked glass door of a friend's off-campus apartment after a night of partying.

Her friends awoke the next morning to find Denison missing, a small blood stain on her pillow. Her shoes, purse and cell phone were left behind.

Three weeks later, her body was found partially covered in snow in a nearby field. She'd been sexually assaulted and strangled.

But the killer left an unusual "calling card." According to authorities, he has a fetish for women's lingerie and makes it a habit to take the panties of his victims, leaving behind the previous victim's.

Along with Denison's remains, a pair of black thong panties was found. The panties did not belong to the victim and contained DNA from another, unidentified female.

Police are asking any woman who has lost a pair of black thong panties, size small, with a Pink Panther cartoon and heart design, to come forward.

Police have also been able to connect DNA found at the crime scene to a prior sexual assault that occurred December 16 and involved another university student. She managed to escape her attacker and described him in more detail to authorities. Watch how a serial rapist is stalking a college town »

Additionally, both crimes bear striking similarity to several other sexual assaults in the area, leading police to conclude that Denison's killer is a serial rapist who most likely lives or works in the area. The attacks all took place in close proximity to each other, during similar times of day and used similar methods.

In one of the earlier attacks, a university student was walking across a parking lot to her car when a man approached her from behind and put her in a choke hold. He pushed her to the ground and groped her. She fought him off and screamed. He kicked her in the head and then ran, dropping a couple of unopened condom packets.

In another incident, a student was attacked as she was parking her car outside her home. The assailant tried to choke her and force her inside his vehicle. He then drove her a few minutes away to a secluded area and sexually assaulted her, then beat her and drove her back to her residence.

He threatened that "he'd be back" if she told anyone. Victims describe the assailant as a white male, 28 to 40 years old, square chin, brown hair, about 5-foot-6, strong but not muscular, a small pot belly and short beard.

The vehicle associated with him is a small truck with an extended cab, automatic transmission and front bucket style seats with velour upholstery. One witness also describes seeing a baby shoe lying on the floorboard in the front passenger side of the truck. 

Police and family are asking for the public's help in bringing Brianna Denison's killer to justice.

Please call the the Reno Police Hot Line at 775-745-3521 or the Secret Witness Line at 775-322-4900. Secret Witness is offering a $2,500 reward for anonymous tips that lead to an arrest and prosecution.