On Fri, Jun 19, 2009 at 08:09:28PM -0400, w3wsrmn wrote:

> luben karavelov Wrote:
> -------------------------------------------------------
> > A DoS attack against number of http servers is
> > available and has hit
> > slashdot today:
> > http://it.slashdot.org/story/09/06/19/1243203/Atta
> > ck-On-a-Significant-Flaw-In-Apache-Released
> >
> > Out of the box nginx is also vulnerable (I have
> > tested it on latest 0.7
> > installation). A quick fix for the vulnerability
> > follows:
> >
> > Put in "http" section:
> >
> > client_body_timeout 10;
> > client_header_timeout 10;
> > keepalive_timeout 10;
> > send_timeout 10;
> > limit_zone limit_per_ip $binary_remote_addr 1m;
> >
> > and put in "server" section :
> >
> > limit_conn limit_per 16;
> >
> > The last 2 configuration lines are for limiting
> > connections per client
> > IP. This fist lines are same sane connection
> > timeouts.
> >
> > Best regards and keep the great work!
>
>
> A look at the script reveals it keeps connections open with invalid headers (note the appended "\r\n"):

No, "\r\n" is valid sequence in HTTP request. Actually, the only "\n" is
rather invalid, but most web servers treat it as "\r\n".

> "GET /$rand HTTP/1.1\r\n"
> . "Host: $sendhost\r\n"
> . "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)\r\n"
> . "Content-Length: 42\r\n";
>
> As by default the (undocumented?) ignore_invalid_headers directive is enabled in nginx, isn't this attack a non-issue, unless one disables the directive?
>
> Sending such headers to an nginx server with the directive enabled results in a "400 Bad Request".
>
> Posted at Nginx Forum: http://forum.nginx.org/read.php?2,3151,3163#msg-3163
>

--
Igor Sysoev
http://sysoev.ru/en/