httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eric Covener <cove...@gmail.com>
Subject Re: Mitigation Range header (Was: DoS with mod_deflate & range requests)
Date Wed, 24 Aug 2011 12:04:35 GMT
On Wed, Aug 24, 2011 at 7:57 AM, "Plüm, Rüdiger, VF-Group"
<ruediger.pluem@vodafone.com> wrote:
>
>
>> -----Original Message-----
>> From: Dirk-Willem van Gulik
>> Sent: Mittwoch, 24. August 2011 13:33
>> To: dev@httpd.apache.org
>> Subject: Mitigation Range header (Was: DoS with mod_deflate &
>> range requests)
>>
>> Folks,
>>
>> This issue is now active in the wild. So some unified/simple
>> comms is needed.
>>
>> What is the wisdom on mitigation advise/briefing until a
>> proper fix it out - in order of ease:
>>
>> ->    Where possible - disable mod_deflate
>>
>>       => we sure this covers all cases - or this is a good stopgap ?
>
> As said this has *nothing* to do with mod_deflate. This was IMHO just
> a guess by the original author of the tool.
>
>>
>> ->    Where possible - set LimitRequestFieldSize to a small value
>>
>>       ->      Suggesting of 128 fine ?
>>
>> ->    Where this is not possible (e.g. long cookies, auth
>> headers of serious size) consider using
>>       mod_rewrite to not accept more than a few commas
>>
>>       =>      anyone a config snipped for this ?
>
> How about the following (untested) rewrite rule. It should only allow 5
> ranges at max.
>
> RewriteCond %{HTTP:range} ^bytes=[^,]+(,[^,]+){0,4}$
> RewriteRule .* - [F]

Is [E=no-gzip] enough to avoid the downward spiral, for the sake of
false positives?

But your regex matches when there's just a couple of ranges -- maybe
{4} and no $?

Mime
View raw message