On Wed, Aug 24, 2011 at 7:57 AM, "Plüm, Rüdiger, VF-Group"
<ruediger.pl...@vodafone.com> wrote:
>
>
>> -----Original Message-----
>> From: Dirk-Willem van Gulik
>> Sent: Mittwoch, 24. August 2011 13:33
>> To: dev@httpd.apache.org
>> Subject: Mitigation Range header (Was: DoS with mod_deflate &
>> range requests)
>>
>> Folks,
>>
>> This issue is now active in the wild. So some unified/simple
>> comms is needed.
>>
>> What is the wisdom on mitigation advise/briefing until a
>> proper fix it out - in order of ease:
>>
>> -> Where possible - disable mod_deflate
>>
>> => we sure this covers all cases - or this is a good stopgap ?
>
> As said this has *nothing* to do with mod_deflate. This was IMHO just
> a guess by the original author of the tool.
>
>>
>> -> Where possible - set LimitRequestFieldSize to a small value
>>
>> -> Suggesting of 128 fine ?
>>
>> -> Where this is not possible (e.g. long cookies, auth
>> headers of serious size) consider using
>> mod_rewrite to not accept more than a few commas
>>
>> => anyone a config snipped for this ?
>
> How about the following (untested) rewrite rule. It should only allow 5
> ranges at max.
>
> RewriteCond %{HTTP:range} ^bytes=[^,]+(,[^,]+){0,4}$
> RewriteRule .* - [F]
Is [E=no-gzip] enough to avoid the downward spiral, for the sake of
false positives?
But your regex matches when there's just a couple of ranges -- maybe
{4} and no $?
