Apache Addresses DoS Attacks

LOS ANGELES — Responding to a serious security threat, Apache has issued a warning and an update to its server software that affected webmasters should consider.

The Apache Software Foundation and the Apache HTTP Server Project have released version 2.2.20 of the popular Apache HTTP Server software in an attempt to mitigate a recent wave of denial-of-service (DoS) attacks, which have reportedly been facilitated by the onslaught of the so-called “Apache Killer” hacking tool.

According to its publisher, the latest version of Apache is principally a security and bug fix release. It addresses the handling of byte-range requests associated with the Range and Range-Request headers, in order to consume less memory resources in an effort to fight advanced DoS attacks. For example, Apache reps note that if the total of all ranges in a request is larger than the original file, Apache 2.2.20 will ignore the ranges and send the complete file.

Apache reportedly powers more than 65 percent of all web servers, including the majority of adult websites, making security issues a widespread concern — and perhaps especially so for Apple computing fans, as the company includes Apache with Mac OS X — but handles its own software updates, forcing Mac-based server operators to wait for Apple to release its next operating system update.

“We consider this release to be the best version of Apache available, and encourage users of all prior versions to upgrade,” an Apache spokesperson stated.

Sophos’ “Naked Security” columnist, senior security advisor Chester Wisniewski, applauded the Apache team for so quickly testing and releasing this important security.

“Unfortunately, as we see all too frequently, many Linux and Unix administrators ‘set and forget’ their installations and never bother to look after their servers,” Wisniewski wrote. “Now it is up to you, the IT administrators who are using Apache, to follow through and apply these fixes.”

Webmasters should download the Apache HTTP Server 2.2.20 files from the official repository at http://httpd.apache.org/download.cgi, or contact their web hosting company to ensure that their sites are currently running this latest version of Apache.