httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Plüm, Rüdiger, VF-Group" <ruediger.pl...@vodafone.com>
Subject RE: Mitigation Range header (Was: DoS with mod_deflate & range requests)
Date Wed, 24 Aug 2011 11:57:55 GMT
 

> -----Original Message-----
> From: Dirk-Willem van Gulik 
> Sent: Mittwoch, 24. August 2011 13:33
> To: dev@httpd.apache.org
> Subject: Mitigation Range header (Was: DoS with mod_deflate & 
> range requests)
> 
> Folks,
> 
> This issue is now active in the wild. So some unified/simple 
> comms is needed. 
> 
> What is the wisdom on mitigation advise/briefing until a 
> proper fix it out - in order of ease:
> 
> ->	Where possible - disable mod_deflate
> 	
> 	=> we sure this covers all cases - or this is a good stopgap ?

As said this has *nothing* to do with mod_deflate. This was IMHO just
a guess by the original author of the tool.

> 
> ->	Where possible - set LimitRequestFieldSize to a small value
> 
> 	->	Suggesting of 128 fine ?
> 
> ->	Where this is not possible (e.g. long cookies, auth 
> headers of serious size) consider using
> 	mod_rewrite to not accept more than a few commas
> 
> 	=>	anyone a config snipped for this ?

How about the following (untested) rewrite rule. It should only allow 5
ranges at max.

RewriteCond %{HTTP:range} ^bytes=[^,]+(,[^,]+){0,4}$
RewriteRule .* - [F]

Regards

Rüdiger

Mime
View raw message