httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Plüm, Rüdiger, VF-Group" <ruediger.pl...@vodafone.com>
Subject RE: DoS with mod_deflate & range requests
Date Tue, 23 Aug 2011 12:11:56 GMT
 

> -----Original Message-----
> From: Stefan Fritsch [mailto:sf@sfritsch.de] 
> Sent: Dienstag, 23. August 2011 13:09
> To: dev@httpd.apache.org
> Subject: DoS with mod_deflate & range requests
> 
> http://seclists.org/fulldisclosure/2011/Aug/175
> 
> I haven't looked into it so far. And I am not sure I will 
> have time today.


After checking the attack script and the code this has IMHO 
nothing to do with mod_deflate but only with the byterange filter.

But I admit that haven't run the script to check.

The host is seen as vulnerable if it replies to a range request that requests
the whole entity via a range "0-" with a partial response.
A possible problem is that the output bucket brigade gets transformed
in a "one bucket per byte" brigade and thus into a brigade with many
buckets. Futhermore the created range response has a lot of buckets
with boundaries, strings allocated from r->pool.
So it might be advisable if we limit the number of ranges we accept
contained in a Range header.
As a further optimization we could check for "0-" ranges and once we
hit one just reply with the full response instead of a partial response.

Regards

Rüdiger

Mime
View raw message