From owner-freebsd-stable  Tue Jul  9  0:12:24 2002
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id C8B1E37B400
	for <stable@freebsd.org>; Tue,  9 Jul 2002 00:12:21 -0700 (PDT)
Received: from lariat.org (lariat.org [63.229.157.2])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 2C79243E31
	for <stable@freebsd.org>; Tue,  9 Jul 2002 00:12:21 -0700 (PDT)
	(envelope-from brett@lariat.org)
Received: (from brett@localhost)
	by lariat.org (8.9.3/8.9.3) id BAA04080
	for stable@freebsd.org; Tue, 9 Jul 2002 01:12:11 -0600 (MDT)
Date: Tue, 9 Jul 2002 01:12:11 -0600 (MDT)
From: Brett Glass <brett@lariat.org>
Message-Id: <200207090712.BAA04080@lariat.org>
To: stable@freebsd.org
Subject: Apache 2 subject to DoS from worms; downgrade to 1.3.26 recommended
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG

After the recent Apache security notices, I upgraded a few FreeBSD Web servers
to Apache 2.0.39, thinking that this avoid exploitation of those servers.

Alas, This turned out to be a mistake. For some reason, a FreeBSD server
running Apache 2, when hit by the apache-scalp.c exploit or the worm that was
built from it, seems to spawn the maximum number of httpd child processes and
then stop handling incoming requests.

While the exploit doesn't root the machine, the child processes (which are
about 50% bigger than the ones spawned by Apache 1.3.x!) seem to get "wedged;"
they never become available to handle more requests. So, more and more
children are spawned until the "MaxClients" limit is reached or swap is
exhausted. In either case, the server stops handling requests.

Apache 1.3.26 doesn't seem susceptible to this problem... especially if one
installs mod_blowchunks, which kills the session as soon as an attempt to
exploit the server via chunked encoding is detected.

I'd like to move to Apache 2.x as soon as possible. But since one of the main
benefits of 2.x is its ability to use threading (not advisable under FreeBSD),
and since the child processes are fatter and subject to denials of service,
I'm sticking with 1.3.x for the moment.

Have others experienced the same problems? (Note: I'm not subscribed to
-STABLE right now, so please copy me as well as the list on responses.)

--Brett Glass

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message