[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Grave apache dos possible through byterange requests

On 24/08/11 08:53, Dirk Hartmann wrote:
> Hi,
> it is possible to dos a actual squeeze-apache2 with easy to forge
> rage-requests:
> http://lists.grok.org.uk/pipermail/full-disclosure/2011-August/082299.html
> Apache-devs are working on a solution:
> http://www.gossamer-threads.com/lists/apache/dev/401638
> But because the situation seems serious I thought I give you a heads up.
> Running this script against a squeeze machine with 8 Cores and 24GB Ram you
> only need 200 threads to kick it out of memory.
> Cheers
> Dirk

You can use the following redirect as a temporally workaround:

# a2enmod rewrite

RewriteEngine On
RewriteCond %{HTTP:Range} bytes=0-.* [NC]
RewriteRule .? http://%{SERVER_NAME}/ [R=302,L]

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: