httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Plüm, Rüdiger, VF-Group" <ruediger.pl...@vodafone.com>
Subject RE: Mitigation Range header (Was: DoS with mod_deflate & range requests)
Date Wed, 24 Aug 2011 12:35:39 GMT
 

> -----Original Message-----
> From: Eric Covener [mailto:covener@gmail.com] 
> Sent: Mittwoch, 24. August 2011 14:05
> To: dev@httpd.apache.org
> Subject: Re: Mitigation Range header (Was: DoS with 
> mod_deflate & range requests)
> 
> On Wed, Aug 24, 2011 at 7:57 AM, "Plüm, Rüdiger, VF-Group"
> <ruediger.pluem@vodafone.com> wrote:
> >
> >
> >> -----Original Message-----
> >> From: Dirk-Willem van Gulik
> >> Sent: Mittwoch, 24. August 2011 13:33
> >> To: dev@httpd.apache.org
> >> Subject: Mitigation Range header (Was: DoS with mod_deflate &
> >> range requests)
> >>
> >> Folks,
> >>
> >> This issue is now active in the wild. So some unified/simple
> >> comms is needed.
> >>
> >> What is the wisdom on mitigation advise/briefing until a
> >> proper fix it out - in order of ease:
> >>
> >> ->    Where possible - disable mod_deflate
> >>
> >>       => we sure this covers all cases - or this is a good 
> stopgap ?
> >
> > As said this has *nothing* to do with mod_deflate. This was 
> IMHO just
> > a guess by the original author of the tool.
> >
> >>
> >> ->    Where possible - set LimitRequestFieldSize to a small value
> >>
> >>       ->      Suggesting of 128 fine ?
> >>
> >> ->    Where this is not possible (e.g. long cookies, auth
> >> headers of serious size) consider using
> >>       mod_rewrite to not accept more than a few commas
> >>
> >>       =>      anyone a config snipped for this ?
> >
> > How about the following (untested) rewrite rule. It should 
> only allow 5
> > ranges at max.
> >
> > RewriteCond %{HTTP:range} ^bytes=[^,]+(,[^,]+){0,4}$
> > RewriteRule .* - [F]
> 
> Is [E=no-gzip] enough to avoid the downward spiral, for the sake of
> false positives?

As said it has IMHO nothing to do with mod_deflate. It is an issue of the byte range filter.

> 
> But your regex matches when there's just a couple of ranges -- maybe
> {4} and no $?

Of course it should have been:

RewriteCond %{HTTP:range} !^bytes=[^,]+(,[^,]+){0,4}$
RewriteRule .* - [F]

As said untested. Thanks for remote eyes.

Regards

Rüdiger


Mime
View raw message