> -----Original Message----- > From: Stefan Fritsch [mailto:s...@sfritsch.de] > Sent: Dienstag, 23. August 2011 13:09 > To: dev@httpd.apache.org > Subject: DoS with mod_deflate & range requests > > http://seclists.org/fulldisclosure/2011/Aug/175 > > I haven't looked into it so far. And I am not sure I will > have time today.
After checking the attack script and the code this has IMHO nothing to do with mod_deflate but only with the byterange filter. But I admit that haven't run the script to check. The host is seen as vulnerable if it replies to a range request that requests the whole entity via a range "0-" with a partial response. A possible problem is that the output bucket brigade gets transformed in a "one bucket per byte" brigade and thus into a brigade with many buckets. Futhermore the created range response has a lot of buckets with boundaries, strings allocated from r->pool. So it might be advisable if we limit the number of ranges we accept contained in a Range header. As a further optimization we could check for "0-" ranges and once we hit one just reply with the full response instead of a partial response. Regards Rüdiger
