httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Plüm, Rüdiger, VF-Group" <>
Subject RE: Mitigation Range header
Date Wed, 24 Aug 2011 14:33:48 GMT


	From: Greg Ames Sent: Mittwoch, 24. August 2011 16:05
	Subject: Re: Mitigation Range header

	On Wed, Aug 24, 2011 at 9:01 AM, "Plüm, Rüdiger, VF-Group" <>

		> Hmm - when I remove mod_deflate (i.e. explicitly as it is the
		> default in all our installs) and test on a / entry which is a
		> static file which is large (100k)* - then I cannot get apache
		> on its knees on a freebsd machine - saturating the 1Gbit
		> connection it has (Note: the attack machines *are* getting
		> saturated).  The moment i put in mod_deflate, mod_external
		> filter, etc - it is much easier to get deplete enough
		> resources to notice.
		> Dw.
		> *: as I cannot reproduce the issue with very small index.html files.
		Have you tried if the same happens with mod_deflate, but with one of the
		the proposed mitigations in place?
		As said my guess is that this might be an issue with mod_deflate that
		is unrelated to the Range request issue.

	I think mod_deflate is just the tool to convert an O(N^2) data size problem into an O(N^2)
CPU usage problem, where N is some function of LimitRequestLine.  If the file size is smaller
than the largest range end used in the attack, it may reduce the amount of data actually going
down the filter chain.
	I don't think so. The compression happens before the byterange filter and the byterange filter
just hacks the already compressed brigade into more buckets and rearranges them.
	mod_deflate does not do more work if it is a range request. It does the same amount of work
as for the non range request.

View raw message