Attacks on Apache

8/11/2019 Attacks on Apache

1/26

ATTACKS ON APACHE

Hatim Khalafallah Al-Tom

Mohammed Al-Hadi


2/26

What is a web server?

A web servercan be A computer program

Responsible for accepting HTTP requests fromclients (web browsers)

client Web server

HTTP request

HTML data

Browser Web serverrequest

response


3/26

Web servers

Apache Web Server

IIS Web Server

Sun ONE Web Server


4/26

Apache

Initially started in 1996 by Robert McCool.

Since 1996, Apache web server has been the most popular HTTP server inthe market on the World Wide Web.

The Apache was the first web server architecture that was used by theNetscape Communication Corporation.

Apache has evolved with the years of the internet. Server is used tosupport both static and dynamic pages online. Many programminglanguages are supported by the Apache Server are as follows: PHPl,Python, the Apache Server serves approximately 50% of the current webpages.

1.1 . Apache Brief Background


5/26

Denial of Service

Buffer Overflows

Web servers, like all other computers, can be compromised bybuffer overflows

The Web server is easy to find, and connected to the Internet, soit is a common target

A buffer overflow occurs when the amount of data being written to memory is largerthan the amount of memory reserved for the operation. When that occurs, the data

being written actually gets written to memory beyond the reserved section. As aresult, the extra data has to go somewhere; and you can bet your next paycheck thatit will be going somewhere undesirable.

As weve noted throughout this book, the dreaded buffer overflow attack symbolizesthe coup de grace of hacking. Given the appropriate conditions, buffer overflowsoften result in the ability to execute arbitrary commands on the victim machine,typically with very high privilege levels.


6/26

Denial of service Attacks

serviceof. Denial1

A denial of service is designed to stop legitimate users from u

some service.

You can cause a denial of service against a web site by simply

sending an awful lot of traffic to it.

The web server didnt know what is legitimate traffic and wh

is part of the denial or service?


7/26

Distributed Denial of Service Attacks

Attacker

zombiezombie

zombie

victim


8/26

Reflection DoS Attacks

Distributed reflection denial of service attack

Attacker

hosthost

hostvictim


9/26

Reflection DoS Attacks

Uses innocent intermediary nodes (routers and servers) knownas reflectors.

An attacker sends packets that require responses to thereflectors with the packets inscribed source address set tovictims address.

Can be done using TCP, UDP or other.

Examples: Smurf Attacks: Attacker sends ICMP echo request to a subnetdirected broadcast address with the victims address as the sourceaddress.

SYN-ACK flooding: Reflectors respond with SYN-ACK packets tovictims address.


10/26

Reflection DDoS: SYN-Attack

TCP connection tables in servers are a limited

resource.

By generating huge numbers of connection

requests to a server, it can effectively be taken

down Doesnt require huge amounts of bandwidth to

launch this attack


11/26

SYN-Attack

SYN-ACK

SYN

ACK

ClientServer

SYN-ACK

SYN

Attacker

(spoofed IP)Server

SYNSYN-ACK

Handshake Attack


12/26

Reflection DDoS :Smurf Attack

Every host on the amplifiernetwork sees the ping (because

it is broadcast) and replies to the

(apparent) source with a 65000

byte reply)

N x 65000 byte ping replies hit the

(where N is the number of hosts on

amplifier network)


13/26

LOIC tool

Low Orbit Ion Cannon.

Anonymous group.


14/26

LOIC tool

Primitive DDoS Attack, controlled via IRC (Internet Relay

Chat ) Sends thousands of packets per second from the

attacker directly to the target .

Takes thousands of participants to bring down a large site.

There are two versions Windows binary

Javascript

They tried bring down Amazon but failed.


15/26

Another of DoS Slowloris

One Attacker One Target

Send incomplete GET requests

Freezes Apache with one packet per second

Incomplete HTTP POSTs Stops IIS, butrequires thousands of packets per second


16/26

Apache has a queue of approx. 256

requests

Each one waits approx. 400 seconds by

default for the request to complete

So less than one packet per second is

enough to occupy them all

Low-bandwidth DoS--no collateral damage!


17/26

Buffer overflow

Buffer overflow occurs when an attempt is made to use a

limited-length buffer to store a larger piece of data.

Because of the lack of boundary checking, some amount of

data will be written to memory locations immediately

following the buffer.


18/26

Study example

Apache Slapper WormThe Apache Slapper Worm is arguably the worst thing to happen to the Apache. It uses

vulnerabilities in the Open SSL subsystem to break into a system running Apache. It proceeinfect other systems and calls back home to become a part of a distributed denial of service

(DDoS) network. Some variants install a backdoor, listening on a TCP/IP port. The worm on

works on Linux systems running on the Intel architecture. The behavior of this worm serves

excellent case study and a good example of how some of the techniques we used to secure

Apache help in real life. The worm uses a probing request to determine the web server ma

version from the Server response header and attacks the servers it knows are vulnerable. A

server signature would, therefore, protect from this worm. Subsequent worm mutations stop

using the probing request, but the initial version did and this still serves as an important poin

vulnerable system is found, the worm source code is uploaded (to/tmp) and compiled. The

would not spread to a system without a compiler, to a system where the server is running fr

jail, or to a system where code execution in the/tmp directory is disabled (for example, by

mounting the partition with a


19/26

Common Web Application Vulnerabilities

Cross-Site Scripting (XSS)

SQL Injection


20/26

SQL injection

Using SQL injections, attackers can: Delete or Add new data to the database

Could be embarrassing to find yourself selling politically incorrectitems on an eCommerce site

Perform an INSERT in the injected SQL

Modify data currently in the database

Could be very costly to have an expensive item suddenly be deeplydiscounted

Perform an UPDATE in the injected SQL

Often can gain access to other users system capabilities byobtaining their password


21/26

Cross-Site Scripting (XSS) Attacks

One user injects code that attacks another user

Common on guestbooks, comment pages, forums,etc.

Caused by failure to filter out HTML tags These characters < > ( ) # &

Also watch out for hex-encoded versions%3c instead of

%22 instead of "


22/26

Apache Vulnerabilities

errorsProgramming

come in different shapes. Many have security implications. A programming error

that can be exploited to abuse system resources should be classified

as a vulnerability. For example, in 1998, a programming error was discovered in

Apache: specially crafted small-sized requests caused Apache to allocate large

amounts of memory. For more information, see:

YA Apache DoS Attack, discovered by Dag-Erling Smrgrav (http://marc.

theaimsgroup.com/?l=bugtraq&m=90252779826784&w=2)


23/26


overflowsbufferno exploitablecan cause the server to crash when attacked. (Exploitable buffer overflows are

not likely to be used as DoS attacks since they can and will be used instead tocompromise the host.)

When Apache is running in a prefork mode as it usually is, there are many

instances of the server running in parallel. If a child crashes, the parent process

will create a new child. The attacker will have to send a large number ofrequests constantly to disrupt the operation.


24/26


)preforkmultithreaded (not

of operationmode

there is only one server process.A crash while processing a request will cause

the whole server to go down and make

it unavailable. This will be easy to detect because you have server monitoring in

place or you start getting angry calls from your customers.


25/26


Reverse Proxy Servers

Depending on the reverse proxy configuration, the vulnerabilitycould allow access to internal systems from the Internet.

Web proxy servers may work both ways!

Typically meant to allow users from within a network to accessexternal web sites.

May end up proxying HTTP requests from the outside world to

the internal network. e.g. Compaq Insight Manager

Usually happens when the front end web server proxies requeststo back end app servers.


26/26

DB

10.0.1.2

GET http://10.0.1.2/ HTTP/1.0

192.

168

.7.

248

10.0

.1.

1

Documents

Attacks on Apache