[htdig] possible DoS attack?

Subject: [htdig] possible DoS attack?
From: Daniel Naber (dnaber@mini.gt.owl.de)
Date: Sun Nov 14 1999 - 04:55:49 PST


if you submit the attached form htdig will need several minutes to
perfom the search. The resulting page (second attached file) will
be incomplete. This happens only if you don't change my default
values for Match and Format. My default values have very long
strings that don't make sense.

This could be used to spawn many processes in a short amount
of time, which will use up the server's memory. These processes
do not use (much) cpu time. A fix in htsearch might be to check for
sensible values before doing anything. A workaround is probably to
configure your server so it will kill CGI scripts after some seconds
if they are not done. Another way is to use a wrapper around htsearch
which will kill itself (e.g. by sending itself a signal) after a
certain time.

This has been tested with htdig 3.1.2 and 3.1.3 on a local machine
with a very small index (less than 10 documents). BTW, I know that you
can DoS attack anything by just sending enough queries but I think
this is more serious.

 Daniel Naber

PGP Key fingerprint = 3D 98 9E D2 00 B6 E0 9D  7E B9 77 23 17 E2 11 6A

------------------------------------ To unsubscribe from the htdig mailing list, send a message to htdig@htdig.org containing the single word unsubscribe in the SUBJECT of the message.

This archive was generated by hypermail 2b25 : Sun Nov 14 1999 - 06:00:38 PST