What is Apache killer?

Apache killer is a script which aims to exploit an Apache Vulnerability.
Basically, it makes Apache to fill up the /tmp directory which makes the webserver unstable.

Who is concerned?

Anybody running a website on Apache.
The Apache announce

How can Aloha Load-Balancer help you?

First, let’s have a look at the diagram below:

The Aloha can clean up your Range headers as well as limiting rate of connection from malicious people and event emulate the success of the attack.

Protect against Range header

Basically, the attack consists on sending a lot of Range headers to the webserver.
So, if a “client” sends more than 10 Range headers, we can consider this as an attack and we can clean them up.
Just add the two lines below in your Layer 7 (HAPropxy) backend configuration to protect your Apache web servers:

[sourcecode language=”text”]
backend bk_http
[…]
# Detect an ApacheKiller-like Attack
acl weirdrangehdr hdr_cnt(Range) gt 10
# Clean up the request
reqidel ^Range if weirdrangehdr
[…]
[/sourcecode]

Protect against service abuser

Since this kind of attack is combined with a DOS, you can blacklist bad guys with the configuration below.
It will limit users to 10 connections over a 10s period, then hold the connection for 10s before answering a 503 HTTP response.

You should adjust the values below to your website traffic.
[sourcecode language=”text”]
frontend ft_http
[…]
option http-server-close

# Setup stick table
stick-table type ip size 1k expire 30s store gpc0
# Configure the DoS src
acl MARKED src_get_gpc0(ft_http) gt 0
# tarpit attackers if src_DoS
use_backend bk_tarpit if MARKED
# If not blocked, track the connection
tcp-request connection track-sc1 src if ! MARKED

default_backend bk_http
[…]

backend bk_http
[…]
# Table to track connection rate
stick-table type ip size 1k expire 30s store conn_rate(5s)
# Track request
tcp-request content track-sc2 src
# Mark as abuser if more than 10 connection
acl ABUSER sc2_conn_rate gt 10
acl MARKED_AS_ABUSER sc1_inc_gpc0
# Block connection concidered as abuser
tcp-request content reject if ABUSER MARKED_AS_ABUSER
[…]

# Slow down attackers
backend bk_tarpit
mode http
# hold the connection for 10s before answering
timeout tarpit 10s
# Emulate a 503 error
errorfile 500 /etc/errors/500_tarpit.txt
# slowdown any request coming up to here
reqitarpit .
[/sourcecode]

Open a shell on your Aloha Load-Balancer, then:

  • create the directory /etc/errors/
  • create the file 500_tarpit.txt with the content below.

500_tarpit.txt:

[sourcecode language=”text”]
HTTP/1.0 503 Service Unavailable
Cache-Control: no-cache
Connection: close
Content-Type: text/html
Content-Length: 310

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">;
<html xmlns="http://www.w3.org/1999/xhtml">;
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Error</title>
</head>
<body><h1>Something went wrong</h1></body>
</html>
[/sourcecode]

Don’t forget to save your configuration with the command

config save

Related articles

Links