A second variety of denial of service attacks are those that eat up the victim system's memory. Here are two typical examples:
The HTTP protocol specification requires that if a web server sees more than one header line of the same name, it should glue them together and treat that as one long line. The Apache server implemented this using buffers that grew dynamically as required. So if an attacker opened a HTTP connection to an apache host, and sent a continuous stream of header lines like this:
Browser: bla bla bla bla eat up memory
Browser: bla bla bla bla eat up memory
...
Earlier versions of Apache would put all these lines (excluding the Browser: tag) in a single buffer. The big problem was that the buffer was grown exponentially, i.e. 1K, 2K, 4K, 16K, etc. Using this attack it was easy to bring an apache server to its knees.
Another example is wu-ftpd, the Washington University FTP daemon. It supports globbing, i.e. you can ask it to do LIST foo* and it will first replace foo* with all files that match this pattern, and then invoke the /bin/ls command with this list.9.2
This globbing routine would go berserk if you asked it to expand
/*/../*/../*/../*/.. etc, because the number of file names this
produces grows quite quickly: The first /*/ will match all
top-level directories in the FTP area, creating a list of bin,
etc, lib and pub, for instance. The next
path component, /../ contains no globbing characters and will
thus be appended literally, yielding bin/.., etc/..,
etc. Then comes another asterisk, which will again match all directories
relative to each name in the list. That is bin/../* will expand
to bin/../bin, bin/../etc, bin/../lib, and
bin/../pub. etc/../* will expand to etc/../bin,
etc/../etc, and so on. Altogether, this yields 16 names. So with
each ../* component, the number of names matched is quadrupled.
As a consequence, memory consumption roughly quadruples, too. In other words,
it is exponential.
This attack shows the same characteristics we found in the attack on fingerd above. The attacker transmits a few hundred bytes, and manages to take down the entire system. The resource being starved in this case is memory, which makes the attack no less effective.
One thing is worth noting here, however. Memory consumption will only become an issue if the attacker is able to cause the application's memory consumption to be a an exponential function of the attacker's input. If the attacker needs to send N bytes of data in order for the application to consume 2N bytes of memory, that is not a very effective denial of service attack.
Therefore, the Apache problem described above was fixed simply by making sure that the amount of memory is allocated as a linear function of user input.
The globbing problem in wu-ftpd needed to be fixed differently.
One approach was to reject any glob patterns that have ../
in them. This does not really help, though, because the glob pattern
.{}./ is equivalent to ../ but won't be picked up by a
simple string comparison.9.3
The solution that really fixes the problem is to put an upper limit of 100 or 200 on the number of names returned by the glob function.