News Stay informed about the latest enterprise technology news and product updates.

Apache DDoS vulnerability requires immediate update to avoid threat

Apache has released an updated version of its Web server to address a DDoS vulnerability, for which exploit tools have been found in the wild.

You can legitimately ask for hundreds of very large overlapping parts of a file in a single request. ... A relatively...

modest number of requests can tie a server's CPU and memory in knots.

Mark Stockley, Web Consultant, Sophos

A new version of the Apache open source Web server, which runs 65% of the world’s websites, has been issued to disable a vulnerability that exposed it to a potential distributed denial-of-service (DDoS) attack.

In an Aug. 31 announcement, , the Apache Software Foundation and the Apache HTTP Server Project said they had released version 2.2.20 of the Apache HTTP Server in order to fix the flaw, identified last week. “We consider this release to be the best version of Apache available, and encourage users of all prior versions to upgrade,” the announcement said.

The new version was produced quickly because a tool that exploits the vulnerability (CVE-2011-31092 at was identified in the wild.

Sophos Web Consultant Mark Stockley wrote on the Sophos Labs Naked Security blog that the vulnerability would allow attackers to mount an Apache DDoS attack without having masses of computing firepower at their disposal.

The vulnerability can be exploited by a feature in Web servers that allows users to pause and resume their downloads. As Stockley described it: “You can legitimately ask for hundreds of very large overlapping parts of a file in a single request. Enough parts that a relatively modest number of requests can tie a server's CPU and memory in knots.”

He noted this is partly due to a weakness in the HTTP protocol, meaning other Web servers might also be vulnerable.

The new version of Apache reduces the amount of memory used by range requests, and, if the total bytes of a file requested exceed the total file size, httpd (the Apache HTTP daemon that monitors incoming requests) will return the entire file.

Network administrators are strongly advised to update their systems immediately. Also writing on the Sophos blog, Senior Security Advisor Chester Wisniewski observed: “Many Linux and Unix administrators ‘set and forget’ their installations and never bother to look after their servers. The Apache team should be applauded for testing and releasing an important security fix so quickly. Now it is up to you, the IT administrators, who are using Apache to follow through and apply these fixes.”

Dig Deeper on Web Server Threats and Countermeasures



Find more PRO+ content and other member only offers, here.

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.