Opened 10 months ago
Closed 10 months ago
#2590 closed defect (invalid)
Nginx is not able to withstand with pwnloris DoS attack (CVE-2007-6750 and CVE-2012-5568)
Reported by: | Owned by: | ||
---|---|---|---|
Priority: | critical | Milestone: | |
Component: | nginx-core | Version: | 1.20.x |
Keywords: | Cc: | ||
uname -a: | Linux 9e110798ea65 4.18.0-477.27.1.el8_8.x86_64 #1 SMP Thu Aug 31 10:29:22 EDT 2023 x86_64 x86_64 x86_64 GNU/Linux | ||
nginx -V: |
nginx version: nginx/1.20.2
built by gcc 8.5.0 20210514 (Red Hat 8.5.0-4) (GCC) built with OpenSSL 1.1.1k FIPS 25 Mar 2021 TLS SNI support enabled configure arguments: --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/lib/nginx/tmp/client_temp --http-proxy-temp-path=/var/lib/nginx/tmp/proxy_temp --http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi_temp --http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi_temp --http-scgi-temp-path=/var/lib/nginx/tmp/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --add-dynamic-module=/home/appl.ci/jenkins4/workspace/vxos/vxos_common_rpms_main_release_rhel8/compiled_rpms/nginx/rpmbuild/BUILD/lua-nginx-module --add-dynamic-module=/home/appl.ci/jenkins4/workspace/vxos/vxos_common_rpms_main_release_rhel8/compiled_rpms/nginx/rpmbuild/BUILD/njs/nginx --with-cc-opt='-O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -pie' |
Description
We use nginx in our product.
We used pwnloris script for CVE-2007-6750 and CVE-2012-5568 with nginx/web server as a target.
Pwnloris script downloaded from here: https://github.com/h0ussni/pwnloris.
After running pwnloris script, nginx/web server went down and we are not able to access web server from any client/user.
Change History (8)
comment:1 by , 10 months ago
Resolution: | → invalid |
---|---|
Status: | new → closed |
comment:2 by , 10 months ago
Can these settings cause any performance hamper? If yes, small or big?
Can you please share all the known attacks & corresponding nginx settings for them?
comment:3 by , 10 months ago
Resolution: | invalid |
---|---|
Status: | closed → reopened |
Can these settings cause any performance hamper? If yes, small or big?
Can you please share all the known attacks & corresponding nginx settings for them?
comment:4 by , 10 months ago
Resolution: | → invalid |
---|---|
Status: | reopened → closed |
If you need help with configuring nginx, please use support options available.
comment:5 by , 10 months ago
Resolution: | invalid |
---|---|
Status: | closed → reopened |
As per the suggestions, we have tried nginx directives but still we are able to reproduce DoS attack (Script used for DoS attack: https://github.com/h0ussni/pwnloris)
Below are the settings which we have implemented and tested:
# Set a limit for the number of connections from a single IP
limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m;
limit_conn conn_limit_per_ip 20;
# Set a limit for the number of connections in total
limit_conn_zone $server_name zone=conn_limit_total:10m;
limit_conn conn_limit_total 100;
# Limit the number of simultaneous connections from a single IP
# Note: In HTTP/2 and HTTP/3, each concurrent request is considered a separate connection.
limit_req_zone $binary_remote_addr zone=req_limit_per_ip:10m rate=30r/s;
limit_req zone=req_limit_per_ip burst=50 nodelay;
# Set a timeout for entire client connection
keepalive_timeout 65;
# To save from Slowloris set small timeout
client_body_timeout 10s;
client_header_timeout 10s;
# enables resetting timed out connections and connections closed with the non-standard code 444
reset_timedout_connection on
events {
# try with both multiple accept on and off
# multi_accept on;
worker_connections 1024;
}
Kindly provide solution for this issue.
comment:6 by , 10 months ago
Resolution: | → invalid |
---|---|
Status: | reopened → closed |
The particular script creates requests with incomplete headers. As such, the client_header_timeout
apply. More advanced limits, such as limit_req
and limit_conn
, won't work for the particular attack, as they only limit requests with fully read headers.
With worker_connections 1024;
, client_header_timeout 10s;
, and just one worker process (which is the default), it would be possible to DoS nginx as long as the client is able to open at least 1024 connections in total, and is able to open 100 new connections per second. As such, to withstand the particular DoS, you should increase worker_connections
, and/or reduce client_header_timeout
, and/or add more worker processes, and/or introduce external connection limits (either on total number of connections or on connection establishment rate).
As previously suggested, if you need help with configuring nginx, please use support options available.
comment:7 by , 10 months ago
Resolution: | invalid |
---|---|
Status: | closed → reopened |
comment:8 by , 10 months ago
Resolution: | → invalid |
---|---|
Status: | reopened → closed |
Please avoid reopening tickets without providing an explanation why you are doing it. Thank you.
To protect from DoS attacks, consider configuring nginx appropriately. In particular, Slowloris-type attacks can be effectively mitigated by:
Additionally, you might also consider:
Hope this helps.