Hi Ilya,
On Wed, May 27, 2020 at 10:48:28PM +0500, ???? ??????? wrote:
> hello,
>
> how does haproxy serves queries like that:
>
> Range: bytes=0-,0-,0-,0-,....
>
> more info:
> https://www.zdnet.com/article/rangeamp-attacks-can-take-down-websites-and-cdn-servers/
Well, range attacks are pretty common, this is just yet-another one.
Haproxy has no use of the Range header so it's not sensitive to this.
However, it could trivially stop such attacks at the edge by deleting
Range headers if they appear with multiple values (which is not common
quite frankly). I guess something like this would do it pretty efficiently:
http-request del-header range if { req.hdr_cnt(range) gt 1 }
The effect will be that those requesting more than one range will simply
get the whole file once instead.
Willy
