Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@httpd.apache.org
Received-SPF: pass (athena.apache.org: domain of dirkx@webweaving.org
 designates 178.18.23.51 as permitted sender)
From: Dirk-WIllem van Gulik <dirkx@webweaving.org>
Mime-Version: 1.0 (Apple Message framework v1244.3)
Content-Type: multipart/alternative;
 boundary="Apple-Mail=_35B1C86F-F0B5-4CC9-B4EE-67B7BDB425D6"
Subject: Re: DoS with mod_deflate & range requests
Date: Wed, 24 Aug 2011 21:45:59 +0100
In-Reply-To: 
 <CAHSOX_B9DMUY+UMswrjkuOBQSzaiL8cC28boH3JC6dygq7yNUw@mail.gmail.com>
To: dev@httpd.apache.org
References: <alpine.DEB.2.00.1108231306230.24177@eru.sfritsch.de>
 <4E53EEEF.2060409@rowe-clan.net> <201108232049.58021.sf@sfritsch.de>
 <4E540062.4040903@rowe-clan.net>
 <CAHSOX_AGmaMJ=qkv7WCwaNXgpGB_+xcg9ZCA_cMi5Zo3+bWdCw@mail.gmail.com>
 <4E541CE5.1080608@rowe-clan.net>
 <DE3804B8-18F2-45B9-8A24-FE95C44CA3CA@gbiv.com>
 <20110824153559.GA24702@nebula.c8h10n4o2.org.uk>
 <71A86EB1-CCBA-40E9-A853-02C2CC3400A6@bbc.co.uk>
 <E563FB5AB3F02844AC749BA39E494AB4052FBF7D@VF-MBX11.internal.vodafone.com>
 <4E55253C.3050905@rowe-clan.net>
 <08F45893-EBFE-4C35-BE1E-37F2189D194D@jaguNET.com>
 <CAHSOX_D9dB8A5LUs4_6dh14_qkUT5W32wezzCFbGAxdKKNHrug@mail.gmail.com>
 <A91D84B6-65B4-48DE-A1D4-B4FAC1A24F83@jaguNET.com>
 <CAHSOX_B9DMUY+UMswrjkuOBQSzaiL8cC28boH3JC6dygq7yNUw@mail.gmail.com>
Message-Id: <D903DA73-B4F0-48B5-94B4-B8372D0A22BE@webweaving.org>


--Apple-Mail=_35B1C86F-F0B5-4CC9-B4EE-67B7BDB425D6
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=windows-1252


On 24 Aug 2011, at 21:39, Greg Ames wrote:

> On Wed, Aug 24, 2011 at 3:19 PM, Jim Jagielski <jim@jagunet.com> =
wrote:
>=20
> >
> > If we only merge adjacent ascending ranges, then it seems like an =
attacker could just craft a header where the ranges jump around and =
dodge our fix.
> >
>=20
> I think no matter what, we should still have some sort of
> upper limit on the number of range-sets we accept=85 after all,
> merge doesn't prevent jumping around ;)
>=20
>=20
> The problem I have with the upper limit on the number of range sets is =
the use case someone posted for JPEG2000 streaming.  That has a lot of =
range sets but is completely legit.  However, the ranges are in =
ascending order and don't overlap.  Maybe we could count overlaps and/or =
non-ascending order ranges and fall back to 200 + the whole object if it =
exceeds a limit.

Right - and the other two use cases in the wild are

-	PDF readers - which fetch something at the start in RQ 1 and =
then the index form the end - and then quick looks images for each page =
and title pages. I've seen them do a second and 3rd request with many =
10's of ranges.

-	Some of the streaming video (semi/pro) video editors - which =
fetch a bunch of i-Frames and do clever skip over stuff. Not in the high =
tens; but 10-15 ranges common.

-	Likewise for very clever MXF professional editing equipment - =
the largest case (yup - it did crash my server) tried to fetch over 2000 =
ranges :)

So I think we really should endeavor to allow 50 to a few 100 of them. =
Or at the very least - make it a config option to cut off below 50 or =
so.

Dw.=

--Apple-Mail=_35B1C86F-F0B5-4CC9-B4EE-67B7BDB425D6
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=windows-1252

<html><head></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space; =
"><br><div><div>On 24 Aug 2011, at 21:39, Greg Ames wrote:</div><br =
class=3D"Apple-interchange-newline"><blockquote type=3D"cite">On Wed, =
Aug 24, 2011 at 3:19 PM, Jim Jagielski <span dir=3D"ltr">&lt;<a =
href=3D"mailto:jim@jagunet.com">jim@jagunet.com</a>&gt;</span> =
wrote:<br><div class=3D"gmail_quote"><blockquote class=3D"gmail_quote" =
style=3D"margin:0 0 0 .8ex;border-left:1px #ccc =
solid;padding-left:1ex;">
<br><div class=3D"im">
&gt;<br>
&gt; If we only merge adjacent ascending ranges, then it seems like an =
attacker could just craft a header where the ranges jump around and =
dodge our fix.<br>
&gt;<br>
<br>
</div>I think no matter what, we should still have some sort of<br>
upper limit on the number of range-sets we accept=85 after all,<br>
merge doesn't prevent jumping around ;)<br>
<br>
</blockquote></div><br>The problem I have with the upper limit on the =
number of range sets is the use case someone posted for JPEG2000 =
streaming.&nbsp; That has a lot of range sets but is completely =
legit.&nbsp; However, the ranges are in ascending order and don't =
overlap.&nbsp; Maybe we could count overlaps and/or non-ascending order =
ranges and fall back to 200 + the whole object if it exceeds a =
limit.<br></blockquote></div><br><div>Right - and the other two use =
cases in the wild are</div><div><br></div><div>-<span =
class=3D"Apple-tab-span" style=3D"white-space:pre">	</span>PDF =
readers - which fetch something at the start in RQ 1 and then the index =
form the end - and then quick looks images for each page and title =
pages. I've seen them do a second and 3rd request with many 10's of =
ranges.</div><div><br></div><div>-<span class=3D"Apple-tab-span" =
style=3D"white-space:pre">	</span>Some of the streaming video =
(semi/pro) video editors - which fetch a bunch of i-Frames and do clever =
skip over stuff. Not in the high tens; but 10-15 ranges =
common.</div><div><br></div><div>-<span class=3D"Apple-tab-span" =
style=3D"white-space:pre">	</span>Likewise for very clever MXF =
professional editing equipment - the largest case (yup - it did crash my =
server) tried to fetch over 2000 ranges :)</div><div><br></div><div>So I =
think we really should endeavor to allow 50 to a few 100 of them. Or at =
the very least - make it a config option to cut off below 50 or =
so.</div><div><br></div><div>Dw.</div></body></html>=

--Apple-Mail=_35B1C86F-F0B5-4CC9-B4EE-67B7BDB425D6--