httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Plüm, Rüdiger, VF-Group" <ruediger.pl...@vodafone.com>
Subject RE: Mitigation Range header (Was: DoS with mod_deflate & range requests)
Date Wed, 24 Aug 2011 12:50:31 GMT
 

> -----Original Message-----
> From: Dirk-Willem van Gulik [mailto:dirkx@webweaving.org] 
> Sent: Mittwoch, 24. August 2011 14:14
> To: dev@httpd.apache.org
> Subject: Re: Mitigation Range header (Was: DoS with 
> mod_deflate & range requests)
> 
> 
> On 24 Aug 2011, at 12:57, Plüm, Rüdiger, VF-Group wrote:
> 
> >> ->	Where possible - disable mod_deflate
> >> 	
> >> 	=> we sure this covers all cases - or this is a good stopgap ?
> > 
> > As said this has *nothing* to do with mod_deflate. This was 
> IMHO just
> > a guess by the original author of the tool.
> 
> Ok - but when I try it on my servers (with the check of the 
> tool removed)  - it seems quite impotent unless mod_deflate 
> is in the wire.

Hm, weird. I would guess that mod_deflate could even mitigate this attack as the byterange
filter only does something if it sees the whole response in the brigade the first time it
is called. Having mod_deflate compressing larger chunks of data causes the byterange filter
to be called multiple times with only parts of the response in the brigade.
So the byte range filter should only be applied with responses whose compressed response
fits into the zlibs output filter.
Depending on the size of the input and the number of parallel requests it might be possible
that a lot of memory is consumed by mod_deflate anyway. But I would expect the same behviour
without range requests as well.

> 
> And it seems a bit more potent when there is other 'keep in 
> the air' modules around.
> 
> So I guess mod_deflate is right now the largest 'plug' we 
> have in the server which can cause this backup ?
> 
> Or is that totally wrong. Happy to stand correctede !
> 
> 
> >> ->	Where possible - set LimitRequestFieldSize to a small value
> >> 
> >> 	->	Suggesting of 128 fine ?
> >> 
> >> ->	Where this is not possible (e.g. long cookies, auth 
> >> headers of serious size) consider using
> >> 	mod_rewrite to not accept more than a few commas
> >> 
> >> 	=>	anyone a config snipped for this ?
> > 
> > How about the following (untested) rewrite rule. It should 
> only allow 5
> > ranges at max.
> > 
> > RewriteCond %{HTTP:range} ^bytes=[^,]+(,[^,]+){0,4}$
> > RewriteRule .* - [F]
> 
> 
> Sounds like a plan ! This mail crossed one I just sent out - 
> lemme update that too.

Please see my response to Eric. He detected an error in the above.

Regards

Rüdiger


Mime
View raw message