Apache exploit leaves up to 65% of all websites vulnerable

Filed Under: Denial of Service, Vulnerability

Apache logoThe Apache Software Foundation has announced a denial-of-service vulnerability that affects all versions of the ubiquitous Apache web server, leaving up to 65% of all websites vulnerable.

A denial of service attack works by flooding a server with information and making it so busy that it locks-up and becomes useless. Normally an attacker would have to martial some serious horsepower to overwhelm a big website but this latest vulnerability allows them to do it with a lot less effort. Frankly it's the last thing the web needs in this summer of me-too hacktivism.

The vulnerability works by exploiting a feature in web servers that gives you the ability to pause and resume your downloads. These days if you have to stop downloading something part-way through you can generally pick up where you left off and you don't have to start again from scratch.

This useful feature is possible because a web server can be told to give you only the part of a file you need. In fact it's possible to ask for more than one part of a file at the same time. And that's the problem. It seems you can legitimately ask for hundreds of very large overlapping parts of a file in a single request. Enough parts that a relatively modest number of requests can tie a server's CPU and memory in knots.

It seems that Apache deals with these kinds of request particularly inefficiently but the exploit is at least partly caused by a weakness in the HTTP protocol itself - the set of rules that determine how any web server should behave. Because all web servers follow the same set of rules it's possible that all web servers are vulnerable to some degree.

According to the advisory an attack tool is already in the wild and in use. Although no patch is available at the time of writing one is expected within hours. In the meantime diligent webmasters will probably want to consider the mitigation strategies outlined in the advisory.

More generally this raises some interesting questions about the wisdom of having so much of the web reliant on one piece of software, no matter how good it is.

, , , , ,

You might like

6 Responses to Apache exploit leaves up to 65% of all websites vulnerable

  1. The internet has been falling apart in the last 3 years....I mean, all this personal computer hacking is annoying and all, but it's the REAL computers (that probably don't run windows) that are probably going to hit/hurt us hardest! Like power plants, and cellphone tower/networks, and NASA and stuff will all get hacked and go to hell but we'll not hear of it as much because we're so focused on our own shit getting hax0r3d!

    Anyways....FIRST! :)

  2. withheld · 1150 days ago

    Well, that certainly puts paid to the foolish notion that Open Source software is inherently more secure than proprietary. How long did it take for the crowd to discover this?

    • chip · 1028 days ago

      And the Apple III hardly sold any units, therefore Apple is a company that is a commercial failure.

      When you're looking at stuff like this, you can't single out examples. You need to look at the overall picture, because both OS and proprietary are going to have flaws. Hopefully, you already knew that and I'm feeding a troll.

  3. Teqx · 1149 days ago

    The internet hasn't been falling apart because of hacker culture, hacker culture has been around since the beginnings of the internet, it's just now it's more about money, developing nations get the internet, the criminal hackers get online....

    So what if apache had an exploit that affected 65% of servers, Microsoft should be jelous, this doesn't mean open source is worse than commercial software, at least when there is a known exploit it gets fixed faster and isn't dependent on public scrutiny or inhouse development costs to be fixed.

    "More generally this raises some interesting questions about the wisdom of having so much of the web reliant on one piece of software", would you rather 80%? like the Windows OS....then we can have more one size fits all exploits, and more zero day exploits....install windows and you'll still be downloading security updates come lunch......I prefer my Internet servers and Operating Systems to have variety.....

    • Dont BeDumb · 1061 days ago

      Following your logic we should replace the wheel. Maybe they should use some of them squares I have been hearing about, them wheels are always going flat anyways.

      • Olly · 875 days ago

        following your logic incest would not be a biological problem

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Mark Stockley is the founder of independent web consultancy Compound Eye and he's interested in literally anything that makes websites better. Follow him on Twitter at @MarkStockley