On 24/08/11 12:45, Andrea Zwirner wrote:
> 2011/8/24 Carlos Alberto Lopez Perez <clopez@igalia.com>
>
>> On 24/08/11 08:53, Dirk Hartmann wrote:
>>> Hi,
>>>
>>> it is possible to dos a actual squeeze-apache2 with easy to forge
>>> rage-requests:
>>>
>>>
>> http://lists.grok.org.uk/pipermail/full-disclosure/2011-August/082299.html
>>>
>>> Apache-devs are working on a solution:
>>>
>>> http://www.gossamer-threads.com/lists/apache/dev/401638
>>>
>>> But because the situation seems serious I thought I give you a heads up.
>>>
>>> Running this script against a squeeze machine with 8 Cores and 24GB Ram
>> you
>>> only need 200 threads to kick it out of memory.
>>>
>>> Cheers
>>> Dirk
>>>
>>
>> You can use the following redirect as a temporally workaround:
>>
>> # a2enmod rewrite
>>
>> RewriteEngine On
>> RewriteCond %{HTTP:Range} bytes=0-.* [NC]
>> RewriteRule .? http://%{SERVER_NAME}/ [R=302,L]
>>
>>
> I'm not an Apache expert, could you please explain in broad terms what does
> the workaround does?
>
It searches case insensitive (NC=nocase) in the http request for a
header of type range like the one used in the exploit:
Range: bytes=0-*
And if the http request matchs the condition then it redirects the user
to the mainpage of your server using a temporally redirect (R=302). Also
it stops processing more rules at this point (L=last).
I tested it thoroughly and it stops the attack meanwhile it don't
affects normal behaviour of the server, resuming downloads continue to
work as expected.
http://stackoverflow.com/questions/3303029/http-range-header
Attachment:
signature.asc
Description: OpenPGP digital signature