Types of Attacks - Apache

Not every attack is the same. In general, you can divide attacks into two categories:

• Ones that aim at gaining a remote shell. A remote shell is the ability to run arbitrary commands on a remote computer. For a cracker, having a remote shell is only the beginning; remote shells are usually obtained as a normal user, and in such a situation there is very little a cracker can do. These attacks are generally less common, and are caused by a buffer overflow. They are extremely dangerous, because they give the attacker full access to your server. Even though the attacker is only able to execute commands as the user Apache runs as, very often a remote shell leads to a root shell. A root shell is the ability to run any command as root—in such a case, the user (and the cracker) has complete control over the server.

• Denial of Service (DOS) attacks. These aim at crashing your server. For example a DOS attack against Apache can be caused by a problem in the way Apache was coded (a weird request could cause Apache to simply die, or consume all the available resources).

Denial Of Service attacks are probably less dangerous than remote shell attacks, but they are much more common and can cause major problems.

There are some key web sites that every system administrator should be aware of when dealing with Apache’s security. For a more comprehensive list of available resources, please refer to Appendix A of this book. Two sites in particular, Apache Week and CVE, are particularly important and are the starting points for the following sections, so I’ll introduce them now.

Apache Week (http://www.apacheweek.com) is a priceless resource for Apache in general; its newsletters will help you keep up with Apache’s development, and you'll learn important news about Apache. More importantly, its “Apache Security” section is the best summary of the security problems you can find in Apache: http://www.apacheweek.com/features/security-20.

CVE

Every vulnerability is given a very precise name, or ID. For example, the vulnerability “Remote DoS via IPv6” has the ID CAN-2003-0254. The naming convention used is the one set by CVE (Common Vulnerabilities and Exposures). CVE aims to be a dictionary, not a database, of every single publicly known vulnerability. It is also a valuable repository of information on every listed vulnerability. Its web address is http://cve.mitre.org/.