Apache hit by DoS tool

Apache developers have been warned of a denial-of-service (DoS) tool which exploits a bug in the program.

“Apache Killer,” first appeared on Friday in a post to the Full Disclosure  security mailing list. But today the Apache project acknowledged the vulnerability that the attack tool exploits.

Plans are to release a fix for Apache 2.0 and 2.2 in the next 48 hours with will mean a tricky couple of days for Apache users.

The denial of service vulnerability was found in the way the multiple overlapping ranges are handled by Apache,” the group said in its security advisory. All versions in the 1.3 and 2.0 lines are vulnerable to attack.

It is pretty likely that it hits the no longer supported, but still out there, Apache 1.3 which could cause problems because that will not be patched.

The advisor said that an attack tool is circulating in the wild. Active use of the tools has been seen. The attack can be done remotely and with a modest number of requests can cause very significant memory and CPU usage on the server.

But the bug has been around for ages. Michal Zalewski, brought up the DoS flaw of Apache in 2007 .

Until a patch is ready, Apache has offered a few workarounds to defend Web servers until a patch is available.