On 24/08/11 08:53 +0200, Dirk Hartmann wrote:
it is possible to dos a actual squeeze-apache2 with easy to forge rage-requests: http://lists.grok.org.uk/pipermail/full-disclosure/2011-August/082299.html Apache-devs are working on a solution: http://www.gossamer-threads.com/lists/apache/dev/401638 But because the situation seems serious I thought I give you a heads up. Running this script against a squeeze machine with 8 Cores and 24GB Ram you only need 200 threads to kick it out of memory.
There is an advisory that recommends some workarounds, depending on the needs of your specific site: http://mail-archives.apache.org/mod_mbox/httpd-announce/201108.mbox/%3c20110824161640.122d38...@minotaur.apache.org%3E regards Rolf -- I never let my schooling get in the way of my education. — Mark Twain -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110825080837.gc13...@vzsze.de
