Updated: Apache servers succumb to four-year-old bug

Apache Killer denial-of-service tool based on vulnerability discovered in 2007

The Apache project developer community is warning users of its web server software that a denial-of-service (DoS) tool for attacking the popular server system is circulating in the wild.

A fix is expected to be issued for Apache 2.0 and 2.2 on Friday.

Update: Meanwhile, security firm Sourcefire has announced that its Vulnerability Research Team (VRT) protects users against Apache Killer, as well as against attacks using the underlying vulnerability that enables it.

Functionality to detect the bug has existed for several years in both the Sourcefire IPS and open source Snort.

The VRT also supplemented this protection today with a new rule that specifically detects this new exploit and helps administrators identify the specific tool being used to attack them.

The Apache Killer tool exploits a vulnerability identified by security specialist Michal Zalewski way back in January 2007. But the tool only showed up in a post to the Full Disclosure security site last week.

The Apache project developers issued a security bulletin yesterday at 16.16 GMT and said Apache Killer has already been used in earnest.

"The attack can be done remotely and with a modest number of requests can cause very significant memory and CPU usage on the server," says the bulletin. "The default Apache HTTPD installation is vulnerable.

"There is currently no patch/new version of Apache HTTPD which fixes this vulnerability. This advisory will be updated when a long-term fix is available. A full fix is expected in the next 48 hours."

There are also details of mitigating action system administrators can take to protect networks until a fix is published.

Apache is the world's most widely-used web server software, with a market share of over 60 per cent.

Apple bundles Apache with OSX, but Apple users will have to wait for a patch from Apple.