> -----Original Message-----
> From: Dirk-Willem van Gulik
> Sent: Mittwoch, 24. August 2011 13:33
> To: [email protected]
> Subject: Mitigation Range header (Was: DoS with mod_deflate &
> range requests)
>
> Folks,
>
> This issue is now active in the wild. So some unified/simple
> comms is needed.
>
> What is the wisdom on mitigation advise/briefing until a
> proper fix it out - in order of ease:
>
> -> Where possible - disable mod_deflate
>
> => we sure this covers all cases - or this is a good stopgap ?
As said this has *nothing* to do with mod_deflate. This was IMHO just
a guess by the original author of the tool.
>
> -> Where possible - set LimitRequestFieldSize to a small value
>
> -> Suggesting of 128 fine ?
>
> -> Where this is not possible (e.g. long cookies, auth
> headers of serious size) consider using
> mod_rewrite to not accept more than a few commas
>
> => anyone a config snipped for this ?
How about the following (untested) rewrite rule. It should only allow 5
ranges at max.
RewriteCond %{HTTP:range} ^bytes=[^,]+(,[^,]+){0,4}$
RewriteRule .* - [F]
Regards
Rüdiger
