Buffer overflow is a very common vulnerability, often targeted with zero-day exploits. Successful attacks often result in arbitrary code execution, while failed attempts tend to crash the target program. ASLR makes this scenario even more common: in this attack example Apache web server is repeatedly crashed until the attacker detects the address of system()
function before it is exploited. The attack requires an average of 32000 attempts.
This made me think: why does Apache allow to be attacked in such obvious way? I would be surprised if properly configured web servers crash more than a couple of times per day in production, so thousands of crashes in a matter of minutes is a strong indicator that:
- an attack is going on
- it is actually succeeding, i.e. buffer overflow does happen
In the event of a zero-day exploit, banning the attacker's IP for a day or stopping the server altogether after 10 or so crashes would provide enough time to apply a fix and make a big difference in security.
Is there a way to enforce such a security policy for popular services like Apache, sshd
and similar? Or are there HTTP and SSH servers which have such functionality built in?