luben karavelov Wrote:
-------------------------------------------------------
> A DoS attack against number of http servers is
> available and has hit
> slashdot today:
> http://it.slashdot.org/story/09/06/19/1243203/Atta
> ck-On-a-Significant-Flaw-In-Apache-Released
>
> Out of the box nginx is also vulnerable (I have
> tested it on latest 0.7
> installation). A quick fix for the vulnerability
> follows:
>
> Put in "http" section:
>
> client_body_timeout 10;
> client_header_timeout 10;
> keepalive_timeout 10;
> send_timeout 10;
> limit_zone limit_per_ip $binary_remote_addr 1m;
>
> and put in "server" section :
>
> limit_conn limit_per 16;
>
> The last 2 configuration lines are for limiting
> connections per client
> IP. This fist lines are same sane connection
> timeouts.
>
> Best regards and keep the great work!


A look at the script reveals it keeps connections open with invalid headers (note the appended "\r\n"):

"GET /$rand HTTP/1.1\r\n"
. "Host: $sendhost\r\n"
. "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)\r\n"
. "Content-Length: 42\r\n";

As by default the (undocumented?) ignore_invalid_headers directive is enabled in nginx, isn't this attack a non-issue, unless one disables the directive?

Sending such headers to an nginx server with the directive enabled results in a "400 Bad Request".