Opened 5 months ago

Closed 5 months ago

#2590 closed defect (invalid)

Nginx is not able to withstand with pwnloris DoS attack (CVE-2007-6750 and CVE-2012-5568)

Reported by: shwetajadhav2010@… Owned by:
Priority: critical Milestone:
Component: nginx-core Version: 1.20.x
Keywords: Cc:
uname -a: Linux 9e110798ea65 4.18.0-477.27.1.el8_8.x86_64 #1 SMP Thu Aug 31 10:29:22 EDT 2023 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.20.2
built by gcc 8.5.0 20210514 (Red Hat 8.5.0-4) (GCC)
built with OpenSSL 1.1.1k FIPS 25 Mar 2021
TLS SNI support enabled
configure arguments: --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/lib/nginx/tmp/client_temp --http-proxy-temp-path=/var/lib/nginx/tmp/proxy_temp --http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi_temp --http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi_temp --http-scgi-temp-path=/var/lib/nginx/tmp/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --add-dynamic-module=/home/appl.ci/jenkins4/workspace/vxos/vxos_common_rpms_main_release_rhel8/compiled_rpms/nginx/rpmbuild/BUILD/lua-nginx-module --add-dynamic-module=/home/appl.ci/jenkins4/workspace/vxos/vxos_common_rpms_main_release_rhel8/compiled_rpms/nginx/rpmbuild/BUILD/njs/nginx --with-cc-opt='-O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -pie'

Description

We use nginx in our product.
We used pwnloris script for CVE-2007-6750 and CVE-2012-5568 with nginx/web server as a target.

Pwnloris script downloaded from here: https://github.com/h0ussni/pwnloris.
After running pwnloris script, nginx/web server went down and we are not able to access web server from any client/user.

Change History (8)

comment:1 by Maxim Dounin, 5 months ago

Resolution: invalid
Status: newclosed

To protect from DoS attacks, consider configuring nginx appropriately. In particular, Slowloris-type attacks can be effectively mitigated by:

Additionally, you might also consider:

  • Limiting request rates with limit_req.
  • Limiting number of connections with active requests with limit_conn.
  • Using reset_timedout_connection to ensure faster closing of connections with misbehaving clients.
  • Configuration limits on the number of open connections externally to nginx (e.g., on your firewall).

Hope this helps.

comment:2 by shwetajadhav2010@…, 5 months ago

Can these settings cause any performance hamper? If yes, small or big?
Can you please share all the known attacks & corresponding nginx settings for them?

comment:3 by shwetajadhav2010@…, 5 months ago

Resolution: invalid
Status: closedreopened

Can these settings cause any performance hamper? If yes, small or big?
Can you please share all the known attacks & corresponding nginx settings for them?

Last edited 5 months ago by shwetajadhav2010@… (previous) (diff)

comment:4 by Maxim Dounin, 5 months ago

Resolution: invalid
Status: reopenedclosed

If you need help with configuring nginx, please use support options available.

comment:5 by shwetajadhav2010@…, 5 months ago

Resolution: invalid
Status: closedreopened

As per the suggestions, we have tried nginx directives but still we are able to reproduce DoS attack (Script used for DoS attack: https://github.com/h0ussni/pwnloris)

Below are the settings which we have implemented and tested:

# Set a limit for the number of connections from a single IP
limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m;
limit_conn conn_limit_per_ip 20;

# Set a limit for the number of connections in total
limit_conn_zone $server_name zone=conn_limit_total:10m;
limit_conn conn_limit_total 100;

# Limit the number of simultaneous connections from a single IP
# Note: In HTTP/2 and HTTP/3, each concurrent request is considered a separate connection.
limit_req_zone $binary_remote_addr zone=req_limit_per_ip:10m rate=30r/s;
limit_req zone=req_limit_per_ip burst=50 nodelay;

# Set a timeout for entire client connection
keepalive_timeout 65;

# To save from Slowloris set small timeout
client_body_timeout 10s;
client_header_timeout 10s;

# enables resetting timed out connections and connections closed with the non-standard code 444
reset_timedout_connection on


events {

# try with both multiple accept on and off
# multi_accept on;
worker_connections 1024;

}

Kindly provide solution for this issue.

comment:6 by Maxim Dounin, 5 months ago

Resolution: invalid
Status: reopenedclosed

The particular script creates requests with incomplete headers. As such, the client_header_timeout apply. More advanced limits, such as limit_req and limit_conn, won't work for the particular attack, as they only limit requests with fully read headers.

With worker_connections 1024;, client_header_timeout 10s;, and just one worker process (which is the default), it would be possible to DoS nginx as long as the client is able to open at least 1024 connections in total, and is able to open 100 new connections per second. As such, to withstand the particular DoS, you should increase worker_connections, and/or reduce client_header_timeout, and/or add more worker processes, and/or introduce external connection limits (either on total number of connections or on connection establishment rate).

As previously suggested, if you need help with configuring nginx, please use ​support options available.

comment:7 by lulopezz145@…, 5 months ago

Resolution: invalid
Status: closedreopened

comment:8 by Maxim Dounin, 5 months ago

Resolution: invalid
Status: reopenedclosed

Please avoid reopening tickets without providing an explanation why you are doing it. Thank you.

Note: See TracTickets for help on using tickets.