On Wed, Aug 24, 2011 at 7:57 AM, "Plüm, Rüdiger, VF-Group" <ruediger.pl...@vodafone.com> wrote: > > >> -----Original Message----- >> From: Dirk-Willem van Gulik >> Sent: Mittwoch, 24. August 2011 13:33 >> To: dev@httpd.apache.org >> Subject: Mitigation Range header (Was: DoS with mod_deflate & >> range requests) >> >> Folks, >> >> This issue is now active in the wild. So some unified/simple >> comms is needed. >> >> What is the wisdom on mitigation advise/briefing until a >> proper fix it out - in order of ease: >> >> -> Where possible - disable mod_deflate >> >> => we sure this covers all cases - or this is a good stopgap ? > > As said this has *nothing* to do with mod_deflate. This was IMHO just > a guess by the original author of the tool. > >> >> -> Where possible - set LimitRequestFieldSize to a small value >> >> -> Suggesting of 128 fine ? >> >> -> Where this is not possible (e.g. long cookies, auth >> headers of serious size) consider using >> mod_rewrite to not accept more than a few commas >> >> => anyone a config snipped for this ? > > How about the following (untested) rewrite rule. It should only allow 5 > ranges at max. > > RewriteCond %{HTTP:range} ^bytes=[^,]+(,[^,]+){0,4}$ > RewriteRule .* - [F]
Is [E=no-gzip] enough to avoid the downward spiral, for the sake of false positives? But your regex matches when there's just a couple of ranges -- maybe {4} and no $?