Web Server HTTP Header Memory Exhaustion DoS

Question

Web Server HTTP Header Memory Exhaustion DoS

Eric3495 opened this issue 2 years ago · comments

Synopsis
The remote web server is vulnerable to the 'infinite request' attack.
Description
It was possible to kill the web server by sending an invalid 'infinite' HTTP request that never ends, like:
GET / HTTP/1.0 Referer: XXXXXXXXXXXXXXXXXXXXXXXX ...

An attacker may exploit this vulnerability to make your web server crash continually (if the attack saturates virtual memory on the target) or even execute arbitrary code on your system (in case of buffer / heap overflow).
Solution
Upgrade your software or protect it with a filtering reverse proxy.

Can llhttp limit this security problem？

EricZheng · Answer 1 · Fri Jan 06 2023 14:43:04 GMT+0800 (China Standard Time)

https://www.tenable.com/plugins/nessus/11084

Derrick Lyndon Pallas · Answer 2 · Fri Jan 06 2023 15:34:20 GMT+0800 (China Standard Time)

llhttp does not allocate memory or manage the buffers the caller passes to it. This is the responsibility of the caller, not llhttp. If you pass it a large or malformed buffer, that’s on you.

EricZheng · Answer 3 · Fri Jan 06 2023 15:34:40 GMT+0800 (China Standard Time)

邮件发到~~

Paolo Insogna · Answer 4 · Fri Jan 06 2023 16:35:22 GMT+0800 (China Standard Time)

@pallas is right. There's nothing llhttp can do about this.
In addition to limit HTTP request size (which means rejecting the call at byte N) I would also impose an hard timeout on the sending time.

Closing as no action is possible here.