From dev-return-72261-apmail-httpd-dev-archive=httpd.apache.org@httpd.apache.org Wed Aug 24 11:34:01 2011 Return-Path: X-Original-To: apmail-httpd-dev-archive@www.apache.org Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 980228885 for ; Wed, 24 Aug 2011 11:34:01 +0000 (UTC) Received: (qmail 56228 invoked by uid 500); 24 Aug 2011 11:33:58 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 55557 invoked by uid 500); 24 Aug 2011 11:33:47 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 55538 invoked by uid 99); 24 Aug 2011 11:33:42 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 24 Aug 2011 11:33:42 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=5.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of dirkx@webweaving.org designates 178.18.23.51 as permitted sender) Received: from [178.18.23.51] (HELO pikmeer.webweaving.org) (178.18.23.51) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 24 Aug 2011 11:33:32 +0000 Received: from neep.home (host81-159-211-94.range81-159.btcentralplus.com [81.159.211.94]) (authenticated bits=0) by pikmeer.webweaving.org (8.14.4/8.14.4) with ESMTP id p7OBX6jP050135 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO) for ; Wed, 24 Aug 2011 11:33:07 GMT (envelope-from dirkx@webweaving.org) From: Dirk-Willem van Gulik Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Subject: Mitigation Range header (Was: DoS with mod_deflate & range requests) Date: Wed, 24 Aug 2011 12:33:12 +0100 References: To: dev@httpd.apache.org Message-Id: <5A3B5F78-AEAF-4922-9C86-7669CCD18024@webweaving.org> Mime-Version: 1.0 (Apple Message framework v1244.3) X-Mailer: Apple Mail (2.1244.3) X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.5 (pikmeer.webweaving.org [178.18.23.51]); Wed, 24 Aug 2011 11:33:07 +0000 (UTC) X-Virus-Checked: Checked by ClamAV on apache.org Folks, This issue is now active in the wild. So some unified/simple comms is = needed.=20 What is the wisdom on mitigation advise/briefing until a proper fix it = out - in order of ease: -> Where possible - disable mod_deflate =09 =3D> we sure this covers all cases - or this is a good stopgap ? -> Where possible - set LimitRequestFieldSize to a small value -> Suggesting of 128 fine ? -> Where this is not possible (e.g. long cookies, auth headers of = serious size) consider using mod_rewrite to not accept more than a few commas =3D> anyone a config snipped for this ? -> Perhaps a stop gap module http://people.apache.org/~dirkx/mod_rangecnt.c (is this = kosher??) -> Apply patch XXX from the mailing list Any thoughts ? Followed by a - upgrade as soon as a release is made Thanks, Dw=