[Mongrel] [SEC] Mongrel Temporary Fix For cgi.rb 99% CPU DoS Attack

Ian C. Blenke ian at blenke.com
Thu Oct 26 10:23:50 EDT 2006

Ian C. Blenke wrote:

> We're using debian ruby 1.8.4-1, apache 2.2.3, mod_proxy_balancer, no 
> camping, and mongrel (is this pre-0.3.14?) plus the patch for 
> svn rev 356, and ruby cvs cgi.rb rev 1.19. I haven't seen any missing 
> file errors in the apache logs since the upgrade from

It just occurred to me, we're serving public/ files statically from 
apache2.2 without involving mongrel at all. In this case, anything in 
public/ would be sent directly without the need for mongrel to do an 
X-Sendfile direction to Apache.

  # Redirect all non-static requests to cluster
  RewriteRule ^/(.*)$ balancer://mongrel_cluster%{REQUEST_URI} [P,QSA,L]

If I comment out the RewriteCond, and shunt all requests to mongrel, I 
don't see any missing static content or errors in the logs, but then 
again I haven't done anything special to enable sendfile support (is 
there a gem I should install for mongrel to use to help test this?)

It looks like Coda Hale has experienced this, and is suggesting that 
folks do _not_ use sendfile if you can have something else test for 
static content and send it instead:


Unless this has changed recently... (as most things rails tend to do)

- Ian C. Blenke <ian at blenke.com> http://ian.blenke.com

More information about the Mongrel-users mailing list