httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dirk-Willem van Gulik <di...@webweaving.org>
Subject Re: Mitigation Range header (Was: DoS with mod_deflate & range requests)
Date Wed, 24 Aug 2011 12:14:00 GMT

On 24 Aug 2011, at 12:57, Plüm, Rüdiger, VF-Group wrote:

>> ->	Where possible - disable mod_deflate
>> 	
>> 	=> we sure this covers all cases - or this is a good stopgap ?
> 
> As said this has *nothing* to do with mod_deflate. This was IMHO just
> a guess by the original author of the tool.

Ok - but when I try it on my servers (with the check of the tool removed)  - it seems quite
impotent unless mod_deflate is in the wire.

And it seems a bit more potent when there is other 'keep in the air' modules around.

So I guess mod_deflate is right now the largest 'plug' we have in the server which can cause
this backup ?

Or is that totally wrong. Happy to stand correctede !


>> ->	Where possible - set LimitRequestFieldSize to a small value
>> 
>> 	->	Suggesting of 128 fine ?
>> 
>> ->	Where this is not possible (e.g. long cookies, auth 
>> headers of serious size) consider using
>> 	mod_rewrite to not accept more than a few commas
>> 
>> 	=>	anyone a config snipped for this ?
> 
> How about the following (untested) rewrite rule. It should only allow 5
> ranges at max.
> 
> RewriteCond %{HTTP:range} ^bytes=[^,]+(,[^,]+){0,4}$
> RewriteRule .* - [F]


Sounds like a plan ! This mail crossed one I just sent out - lemme update that too.

Dw.
Mime
View raw message