|
ÀÛ¼ºÀÏ : 11-10-20 09:36
¾ÆÆÄÄ¡ À¥¼¹ö ¹«·ÂȽÃų ½É°¢ÇÑ DoS °áÇÔ ¹ß°ß
|
|
Á¶È¸ : 41,592
|
|
°£´ÜÇÑ HTTP ¿äû¸¸À¸·Î ½±°Ô ¼¹ö ´Ù¿î½Ãų ¼ö ÀÖ´Â ½É°¢ÇÑ º¸¾È°áÇÔ ¹ß°ß
°¡Àå ´ëÁßÀûÀ¸·Î »ç¿ëµÇ°í ÀÖ´Â À¥¼¹öÀÎ Aapche¿¡¼ °£´ÜÇÑ HTTP ¿äû¸¸À¸·Îµµ ¼¹öÀÇ CPU¿Í Memory¸¦ °¡µæ ä¿ö °£´ÜÈ÷ ¼ºñ½º¸¦ ¸¶ºñ½Ãų ¼ö ÀÖ´Â ¸Å¿ì ½É°¢ÇÑ Ãë¾à¼ºÀÌ ¹ß°ßµÇ¾î °ü¸®ÀÚµéÀÇ ÁÖÀÇ°¡ ¿ä±¸µÈ´Ù. 8¿ù 20ÀÏ¿¡ °ø°³µÈ ÀÌ °ø°Ý ÄÚµå ¹× Ãë¾à¼ºÀº RangeÀÀ´äÀÌ °¡´ÉÇϸé¼, mod_deflate ¹× mod_gzipÀÌ enableµÈ ½Ã½ºÅÛ¿¡ ÇØ´çÇϴµ¥ ÀÌ´Â ±âº» ¼³Á¤À̹ǷΠ1.3.x »Ó¸¸ ¾Æ´Ï¶ó 2.0.x, 2.2.xµî ÇöÁ¸ÇÏ´Â ¸ðµç Apache ¼¹ö°¡ Ãë¾àÇÑ °ÍÀ¸·Î ¾Ë·ÁÁ® ÀÖ´Ù.
°ø°ÝÀÇ ¿ø¸®´Â ´ÙÀ½°ú °°´Ù. Range ¿äûÀ» º¸³¾ ¶§ °ø°ÝÀÚ°¡ ¸¹Àº ¹üÀ§ÀÇ ¼·Î ´Ù¸¥ Request¸¦ º¸³»¸é, ¼¹ö¿¡¼´Â ÀÌ °¢°¢ÀÇ ¿äû¿¡ ´ëÇØ gzipÀÇ "Accept-Encoding" Çì´õ¿Í ÇÔ²² °¢°¢ ¾ÐÃàÀ» ½ÃµµÇÏ°Ô µÇ´Âµ¥, ºñÁ¤»óÀûÀÎ ¸¹Àº ¿äûÀ» ó¸®ÇÏ´Â °úÁ¤¿¡¼ ¸¹Àº CPU¿Í ¸Þ¸ð¸®¸¦ ¼Ò¸ðÇÏ°Ô µÇ°í °á±¹ ¹«ÇÑ·çÇÁ¿¡ ºüÁø °Íó·³ ½Ã½ºÅÛÀ» ºÒ¾ÈÇÏ°Ô ¸¸µå´Â °ÍÀÌ´Ù. ¸ÕÀú °ø°Ý¹æ¹ý°ú ±×¶§ÀÇ »óȲÀ» »ìÆ캸µµ·Ï ÇÏÀÚ. °ø°ÝÅøÀº ÀÌ¹Ì ÀÎÅͳݿ¡ °ø°³µÇ¾î ÀÖÀ¸¸ç °£´ÜÇÑ perl ½ºÅ©¸³Æ®·Î¼ ¾Æ·¡¿Í °°´Ù.
# ./killapache.pl Apache Remote Denial of Service (memory exhaustion) by Kingcope usage: perl killapache.pl <host> [numforks] example: perl killapache.pl www.example.com 50
¸¸¾à, Ãë¾àÇÏÁö ¾ÊÀº ½Ã½ºÅÛÀ̶ó¸é ¾Æ·¡¿Í °°ÀÌ º¸ÀÌ°Ô µÈ´Ù.
# ./ killapache.pl domain.com Host does not seem vulnerable
°ø°Ý½Ã¿¡ º¸ÀÌ´Â ÆÐŶÀº ¾Æ·¡¿Í °°´Ù.
# Ŭ¶óÀ̾ðÆ®ÀÇ ¿äû HEAD / HTTP/1.1. Host: www.example.com. Range:bytes=0-. Accept-Encoding: gzip. Connection: close.
# ¼¹öÀÇ ÀÀ´ä . HTTP/1.1 206 Partial Content. Date: Fri, 26 Aug 2011 04:02:49 GMT. Server: Apache. Last-Modified: Thu, 06 May 2010 12:16:28 GMT. ETag: "14ec78-3f-485ebe97dff00". Accept-Ranges: bytes. Content-Length: 196660. Connection: close. Content-Type: multipart/byteranges; boundary=4ab609e5f37a56e23..
# Ŭ¶óÀ̾ðÆ®ÀÇ ¿äû HEAD / HTTP/1.1. Host: www.example.com. Range:bytes=0-,5-0,5-1,5-2,5-3,5-4,5-5,5-6,5-7,5-8,5-9,5-10,5-11,5-12,5-13,5-14,5-15,5-16,5-17,5-18,5-19,5-20,5-21,5-22,5-23,5-24,5-25,5-26,5-27,5-28,5-29,5-30,5-31,5-32,5-33,5-34,5-35,5-36,5-37,5-38,5-39,5-40,5-41,5-42,5-43,5-44,5-45,5-46,5-47,5-48,5-49,5-50,5-51
[±×¸²] °ø°Ý ¹ß»ý ÈÄ 1-2ÃÊ ÈÄ¿¡ Áï½Ã À§¿Í °°ÀÌ ¸¹Àº CPU/Memory¸¦ ¼Ò¸ðÇÏ°í ÀÖ´Â °ÍÀ» ¾Ë°Ô µÈ´Ù.
±âº»ÀûÀ¸·Î Range´Â ù¹ø° Çʵ尡 µÎ¹ø° Çʵ庸´Ù °°°Å³ª ÀÛÀº ¼ýÀÚÀ̾î¾ß Çϴµ¥, À§¿¡¼ º¸µíÀÌ, RangeÀÇ 5°³ Çʵå´Â ÀÌ ¹ýÄ¢À» À§¹ÝÇÏ¿´À¸¸ç ¿äûÇß´ø Range¸¦ Áߺ¹Çؼ ¿äûÇÏ°í ÀÖ´Â °ÍÀ» ¾Ë ¼ö ÀÖ´Ù.
°ø°ÝÀÌ ¹ß»ýÇÒ ¶§ÀÇ access_log ¸¦ º¸¸é, 206À¸·Î ÀÀ´äÇÏ¸ç ¸¶Ä¡ GET Flooding °ø°ÝÀ» ¹ÞÀ»¶§Ã³·³ µ¿ÀÏÇÑ URL¿¡ ´ëÇÑ HEAD ¶Ç´Â GET ¿äûÀÌ Áö¼ÓÀûÀ¸·Î ¹ß»ýÇÏ°Ô µÇ´Â °ÍÀ» ¾Ë ¼ö ÀÖ´Ù. µû¶ó¼, L7ŽÁö°¡ °¡´ÉÇÑ DDoS Â÷´Ü Àåºñ°¡ ÀÖ´Ù¸é °æ¿ì¿¡ µû¶ó Â÷´ÜÀÌ °¡´ÉÇÏ´Ù.
192.168.10.34- - [26/Aug/2011:12:14:52 +0900] "HEAD / HTTP/1.1" 206 - "-" "-" 192.168.10.34- - [26/Aug/2011:12:14:52 +0900] "HEAD / HTTP/1.1" 206 - "-" "-" 192.168.10.34- - [26/Aug/2011:12:14:52 +0900] "HEAD / HTTP/1.1" 206 - "-" "-" 192.168.10.34- - [26/Aug/2011:12:14:52 +0900] "HEAD / HTTP/1.1" 206 - "-" "-" 192.168.10.34- - [26/Aug/2011:12:14:52 +0900] "HEAD / HTTP/1.1" 206 - "-" "-" 192.168.10.34- - [26/Aug/2011:12:14:52 +0900] "HEAD / HTTP/1.1" 206 - "-" "-" 192.168.10.34- - [26/Aug/2011:12:14:52 +0900] "HEAD / HTTP/1.1" 206 - "-" "-" 192.168.10.34- - [26/Aug/2011:12:14:52 +0900] "HEAD / HTTP/1.1" 206 - "-" "-" 192.168.10.34- - [26/Aug/2011:12:14:52 +0900] "HEAD / HTTP/1.1" 206 - "-" "-" 192.168.10.34- - [26/Aug/2011:12:14:52 +0900] "HEAD / HTTP/1.1" 206 - "-" "-" | ±×·¸´Ù¸é, Á¤»óÀûÀÎ °æ¿ì ÀÌ Range ¿äûÀº ¾î¶°ÇÑ °æ¿ì¿¡ »ç¿ëµÇ´Â°¡? ÀÌ´Â ÁÖ·Î ´ë¿ë·®ÀÇ ÆÄÀÏÀ» ´Ù¿î·Îµå Çϰųª, À̾î¹Þ±â µî ÆÄÀÏÀÇ ÀϺθ¸À» ´Ù¿î·ÎµåÇϱ⸦ ¿øÇϰųª ¶Ç´Â p2p µî¿¡¼ ÆÄÀÏÀÇ ÀϺθ¸À» ƯÁ¤ ¼¹ö¿¡¼ ¹Þ°íÀÚ ÇÒ ¶§ »ç¿ëµÈ´Ù. µû¶ó¼, Range ÀÚü´Â Á¤»óÀûÀÎ ¿äûÀ̹ǷΠÂ÷´ÜÇؼ ´Â ¾È µÈ´Ù.
±×·¸´Ù¸é ¾î¶°ÇÑ ´ëÀÀ¹æ¹ýÀÌ °¡´ÉÇÒ °ÍÀΰ¡? 8¿ù 30ÀÏÀÚ·Î 2.2.X ¹öÀü¿¡ ´ëÇÑ ÆÐÄ¡ ¹öÀüÀÌ ¹ßÇ¥µÇ¾ú´Ù.(http://www.apache.org/dist/httpd/Announcement2.2.html) Á¶¸¸°£ RPMµîÀ¸·Îµµ ÆÐÄ¡°¡ ³ª¿Ã °ÍÀ¸·Î º¸ÀÌÁö¸¸, ¼ºñ½ºÁßÀÎ ¼¹ö¶ó¸é ÆÐÄ¡°¡ ½±Áö ¾ÊÀ» °ÍÀÌ´Ù. µû¶ó¼ WorkAround·Î ¾Æ·¡¿Í °°ÀÌ ¼³Á¤ÇÏ´Â °ÍÀÌ ±ÇÀåµÈ´Ù.
- httpd.conf ¿¡¼ LoadModule deflate_module modules/mod_deflate.so ÁÖ¼®Ã³¸®ÇÏ¿© ºñÈ°¼ºÈÈÄ apache¸¦ Àç½ÇÇàÇÑ´Ù.
- httpd.conf ¿¡¼ ¾Æ·¡ ºÎºÐÀ» Ãß°¡ ÈÄ apache¸¦ Àç½ÇÇàÇÑ´Ù.
BrowserMatch .* no-gzip À§ÀÇ µÎ °¡Áö ¼³Á¤Àº ±â´É»ó °°Àº Àǹ̶ó°í ÇÒ ¼ö Àִµ¥, deflate ¸ðµâÀº Ŭ¶óÀ̾ðÆ®¿¡¼ ÀÀ´äÇϱâ Àü¿¡ ¾ÐÃàÀ» ÇÏ¿© ¼Óµµ¸¦ °³¼±ÇÏ°í ÀÀ´ä »çÀÌÁ ÁÙÀÌ´Â ±â´ÉÀ¸·Î¼ À̸¦ disableÇÏ´Â °ÍÀ» ÀǹÌÇÑ´Ù. ÀϹÝÀûÀÎ ¼ºñ½º Á¦°ø½Ã Å« ¿µÇâÀº ¾øÀ¸¹Ç·Î ±ÇÀåµÇ´Â ¹æ¹ýÀÌ´Ù. mod_deflate¿¡ ´ëÇؼ´Â http://httpd.apache.org/docs/2.0/mod/mod_deflate.html ¸¦ Âü°íÇϱ⠹ٶõ´Ù.
À§¿Í °°ÀÌ ¼³Á¤ÇÑ ÈÄ, ¼¹ö¿¡¼´Â 206À¸·Î ÀÀ´äÀº ÇÏÁö¸¸, ¼¹öÀÇ ºÎÇÏ°¡ »ó½ÂÇÏ´Â °ÍÀº ¾î´ÀÁ¤µµ ÇÇÇÒ ¼ö ÀÖ´Ù. ÀÌ¿Ü ÁÖÀÇÇÒ Á¡ ¹× Ãß°¡ÀûÀ¸·Î ÃëÇÒ ¼ö ÀÖ´Â ¹æ¹ýÀº ´ÙÀ½°ú °°´Ù.
1) ³»ºÎ ½Ã½ºÅÛÀ̶ó¸é ACL·Î Á¢±ÙÁ¦ÇÑ ¼³Á¤À» ÇÏ´Â °ÍÀÌ´Ù. ¼³»ç Ãë¾àÇÑ apache¹öÀüÀ̶ó ÇÏ´õ¶óµµ ACLÀ» ¸ÕÀú üũÇϹǷΠ¸¸¾à IP Á¢±Ù Á¦¾î°¡ µÇ¾î ÀÖ´Ù¸é 200 À̳ª 206À¸·Î ÀÀ´äÇÏÁö ¾Ê°í 403 ¿¡·¯°¡ ³ª°Ô µÈ´Ù. µû¶ó¼, ¿ÜºÎ¿¡ ¿ÀÇÂÇÒ ÇÊ¿ä°¡ ¾ø´Â ¼¹ö¶ó¸é, .htaccessµîÀ» È°¿ëÇÏ¿© IP Á¢±Ù Á¦¾î¸¦ ÇÏ´Â °ÍÀÌ ±ÇÀåµÈ´Ù.
2) RequestHeader unset Range ¸¦ Ãß°¡ÇÏ¿© Range ¸¦ disableÇÒ ¼ö ÀÖÁö¸¸, ÀÌ·¯ÇÑ °æ¿ì ¾Õ¿¡¼ ¾ð±ÞÇÑ´ë·Î Á¤»óÀûÀÎ range request ¸¦ ÇÏ´Â video ½ºÆ®¸®¹ÖÀ̳ª pdfµîÀÇ ´Ù¿î·Îµå°¡ ÀÛµ¿ÇÏÁö ¾Ê°Ô µÇ¹Ç·Î ±ÇÀåÇÏÁö ¾Ê´Â´Ù.
3) Åë»óÀûÀ¸·Î HEAD´Â °Ë»ö¿£Áø ·Îº¿ÀÌ ¹®¼ÀÇ º¯°æ ¿©ºÎ¸¦ üũÇϰųª ¸ð´ÏÅ͸µµî¿Ü¿¡´Â Àß »ç¿ëµÇÁö ¾ÊÀ¸¹Ç·Î HEAD ¸Þ¼Òµå¸¦ Â÷´ÜÇÏ´Â ¹æ¹ýÀ» »ý°¢ÇÒ ¼ö ÀÖ´Ù. ±×·¯³ª °ø°³µÈ °ø°ÝÄÚµå´Â HEAD·Î ¿äûÇÏÁö¸¸, GETÀ¸·Î º¯°æÇصµ µ¿ÀÏÇÑ È¿°ú¸¦ ³¾ ¼ö ÀÖÀ¸¹Ç·Î »ç½Ç»ó Àǹ̰¡ ¾ø´Ù°í ÇÒ ¼ö ÀÖ´Ù.
4)Åë»óÀûÀ¸·Î Range ¿äû½Ã Çʵ尡 5°³ ÀÌ»óÀº ³ÑÁö ¾Ê´Â´Ù. µû¶ó¼ modsecurity ¶Ç´Â À¥ ¹æȺ®À» »ç¿ëÇÑ´Ù¸é ÇѹøÀÇ HTTP ¿äû¿¡ ¸¹Àº range ¿äûÀÌ µé¾î¿Ã °æ¿ì Â÷´ÜÇϵµ·Ï ¼³Á¤ÇÒ ¼ö ÀÖ´Ù. ¶Ç´Â ¾Æ·¡¿Í °°ÀÌ ¼³Á¤ °¡´ÉÇÏ´Ù. ÀÌ ¹æ¹ý ¿ª½Ã °¡Àå ÀϹÝÀûÀ¸·Î ±ÇÀåµÇ´Â ¹æ¹ýÁß Çϳª¶ó°í ÇÒ ¼ö ÀÖ´Ù.
# 2.XÀÇ °æ¿ì SetEnvIf Range (,.*?){5,} bad-range=1 RequestHeader unset Range env=bad-range
# 1.3.XÀÇ °æ¿ì RewriteEngine on
RewriteCond %{HTTP:range} !(^bytes=[^,]+(,[^,]+){0,4}$|^$)
RewriteRule .* - [F] 5)HEAD ¸Þ¼Òµå¿¡¼´Â ±âº»ÀûÀ¸·Î range ¿äûÀ» ÇÒ ÇÊ¿ä°¡ ¾ø´Ù. µû¶ó¼ Å« Àǹ̴ ¾øÁö¸¸, HEADÀÌ¸é¼ Range ¿äûÀÌ ÀÖÀ¸¸é Â÷´ÜÇϵµ·Ï ¼³Á¤ÇÒ ¼öµµ ÀÖ´Ù.
6) ¸¶Áö¸·À¸·Î, ÀϹÝÀûÀ¸·Î HTTP ¿äûÀÚü´Â ÆÐŶ Å©±â°¡ Å©Áö ¾ÊÀ½¿¡ ¹ÝÇØ °ø°ÝÆÐŶÀ» º¸¸é »çÀÌÁî°¡ ¸Å¿ì Å« °ÍÀ» ¾Ë ¼ö Àִµ¥, ÀÌÀÇ ¿ø¸®¸¦ ÀÌ¿ëÇÏ¿© httpd.conf ¿¡ LimitRequestFieldSize 200 ¿Í °°ÀÌ Ãß°¡ÇÏ¿© Â÷´ÜÇÒ ¼ö ÀÖ´Â ¹æ¹ýµµ ÀÖ´Ù. À̶§´Â ¾Æ·¡¿Í °°ÀÌ 400 ¿¡·¯·Î Ãâ·ÂÇÏ°Ô µÇ°í error_log ¿¡´Â [Fri Aug 26 12:27:31 2011] [error] [client 192.168.10.34] request failed: error reading the headers ¿Í °°ÀÌ ³²°Ô µÈ´Ù.
HTTP/1.1 400 Bad Request. Date: Fri, 26 Aug 2011 03:27:21 GMT. Server: Apache. Connection: close. Content-Type: text/html; charset=iso-8859-1.
±×·¯³ª, ÄíÅ°µîÀÇ Á¤º¸°¡ ±æ¸é ÆÐŶ »çÀÌÁî°¡ Ä¿Áö´Â °æ¿ìµµ ÀÖÀ¸¹Ç·Î ¿ÀŽ °¡´É¼ºÀÌ ÀÖÀ¸¹Ç·Î Àû¿ë½Ã¿¡´Â ÁÖÀÇÇÏ¿©¾ß ÇÑ´Ù.
°ü·ÃÇÏ¿© ¾Æ·¡ÀÇ URLÀ» Âü°íÇϱ⠹ٶõ´Ù.
http://seclists.org/fulldisclosure/2011/Aug/175 http://marc.info/?l=apache-httpd-dev&m=131418828705324&w=2 http://www.apache.org/dist/httpd/Announcement2.2.html
[±Û. ¾¾µð³×Æ®¿÷½º È«¼®¹ü , antihong@gmail.com]
|
|
|
|
|