On 24/08/11 12:45, Andrea Zwirner wrote: > 2011/8/24 Carlos Alberto Lopez Perez <clo...@igalia.com> > >> On 24/08/11 08:53, Dirk Hartmann wrote: >>> Hi, >>> >>> it is possible to dos a actual squeeze-apache2 with easy to forge >>> rage-requests: >>> >>> >> http://lists.grok.org.uk/pipermail/full-disclosure/2011-August/082299.html >>> >>> Apache-devs are working on a solution: >>> >>> http://www.gossamer-threads.com/lists/apache/dev/401638 >>> >>> But because the situation seems serious I thought I give you a heads up. >>> >>> Running this script against a squeeze machine with 8 Cores and 24GB Ram >> you >>> only need 200 threads to kick it out of memory. >>> >>> Cheers >>> Dirk >>> >> >> You can use the following redirect as a temporally workaround: >> >> # a2enmod rewrite >> >> RewriteEngine On >> RewriteCond %{HTTP:Range} bytes=0-.* [NC] >> RewriteRule .? http://%{SERVER_NAME}/ [R=302,L] >> >> > I'm not an Apache expert, could you please explain in broad terms what does > the workaround does? >
It searches case insensitive (NC=nocase) in the http request for a header of type range like the one used in the exploit: Range: bytes=0-* And if the http request matchs the condition then it redirects the user to the mainpage of your server using a temporally redirect (R=302). Also it stops processing more rules at this point (L=last). I tested it thoroughly and it stops the attack meanwhile it don't affects normal behaviour of the server, resuming downloads continue to work as expected. http://stackoverflow.com/questions/3303029/http-range-header
signature.asc
Description: OpenPGP digital signature
