General News

ApacheKiller flaw integrated into Armageddon’s DDoS Botnet clients

I have talked about ApacheKiller flaw in detail here with possible workaround to mitigate this flaw.

Last week, a DDoS mitigation service vendor Arbor Networks revealed a detailed report can be download from here which say,

Penetration Testing Web Exploitation Tools

KillApachePy – KillApache python version

Few months back we posted Apache Range Byte flaw named ‘KillApache’ where we posted a perl script that can be use to freeze Apache web server in seconds(We have tested it) This time Miroslave Stampar(Co-Author of SQLMap tool) written this tool with few extended features in python scripting language named it ‘KillApachePy’

New enhancements :

  • Automated input parameters
  • Proxy support
  • Chose custom page of your target
  • Chose custom HTTP method e.g GET, HEAD
You can download it from github
General News

Apache released patch for Range Byte Flaw

Apache have released Patch for the recent range bytes request flaw which we published few days ago. This patch fix the Security flaw and

Change Log :

SECURITY: CVE-2011-3192 ( core: Fix handling of byte-range requests
to use less memory, to avoid denial of service. If the sum of all ranges in a
request is larger than the original file, ignore the ranges and send the complete
file. PR 51714.

You can download latest stable release here

If you are running CEntOS, you can update it in this way;

Check update using Yum Utility
yum check-update httpd

Install it
yum update httpd

If don’t want to update it, you can see this post for mitigation techniques.

Penetration Testing Web Exploitation Tools

Apache Killer – Denial of Service Flaw in Apache WebServer

We were following a thread , it was related to apache flaw which was discovered by KingCope.

What is ‘Apache Killer’ Flaw?

It sends multiple GET requests with dozens of “Byte Ranges” that will eat up server’s memory. Byte Range helps browswer or downloading applications to download required parts of file. This helps reduce bandwidth usage. While this script sends dozen of unsorted components in request header to cause apache   server to malfunction.

It is DoS condition on Apache web Server. I performed a test with a script written by @KingCope and can confirm that it will eat up Server resource in seconds.

Although the patch isn’t available from yet, we are still waiting for an update from Apache.

When some one execute this attack on your server, it will eat up your 1 GB RAM in 10 seconds, your CPU load will hit 10 average load and our server will finally freeze. Test it out before Apache release the fix 😀