Anatomy of an attack – update

The DDoS attack which I recently experienced on my web site was obviously the exploit of an error of PHP in the context of XML processing. Also see the news at heise (German). WordPress has provided an update to mitigate this problem.

About the details:

With specific XML files the PHP function xml_parse() can cause a huge memory allocation. For this you embed a DTD in which you define an XML entity which is quite long (for example 50000 characters). Then you add an element which contains this entity for example a 100000 times. In result the document needs 50000×100000 bytes for interpretation which is more than 4 GiB, even though the source needs less than 150 kiB. An attacker can bring the server to its limits by sending many requests like this within a short time period.

Although PHP limits the memory consumption of scripts – the limit only applies for a single script. But on many servers multiple PHP scripts will be executed parallel in separate processes (for example using fcgi) which eventually can cause a higher memory consumption. For example if 200 processes are allowed this would already be about 25 GiB. Most likely this would “paralyze” many web servers since the system is then mainly occupied by handling the memory management and accessing the swap space.

The update of WordPress now makes the use of DTDs impossible and only accepts XML files which contain required the elements and not too many elements at all.

Leave a Comment

Your email address will not be published. Required fields are marked *