httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dirk-WIllem van Gulik <di...@webweaving.org>
Subject Re: Mitigation Range header
Date Wed, 24 Aug 2011 12:39:31 GMT

On 24 Aug 2011, at 13:22, Florian Weimer wrote:

> * Plüm, Rüdiger, VF-Group:
> 
>> As said this has *nothing* to do with mod_deflate. This was IMHO just
>> a guess by the original author of the tool.
> 
> This matches my testing, too.  I see a significant peak in RAM usage on
> a server where "apachectl -M" does not print anything with the string
> "deflate" (so I assume that mod_deflate is not enabled).  This is with
> 2.2.9-10+lenny9 on Debian.
> 
> If it is more difficult to check if mod_deflate is enabled, the advisory
> should tell how to check your server.  If the method I used is the
> correct one, I don't think it's reasonable to suggest disabling
> mod_deflate as a mitigation because it does not seem to make much of a
> difference.

Hmm - when I remove mod_deflate (i.e. explicitly as it is the default in all our installs)
and test on a / entry which is a static file which is large (100k)* - then I cannot get apache
on its knees on a freebsd machine - saturating the 1Gbit connection it has (Note: the attack
machines *are* getting saturated).  The moment i put in mod_deflate, mod_external filter,
etc - it is much easier to get deplete enough resources to notice.

Dw.

*: as I cannot reproduce the issue with very small index.html files.



Mime
View raw message