> -----Original Message-----
> From: Eric Covener [mailto:cove...@gmail.com]
> Sent: Mittwoch, 24. August 2011 14:05
> To: dev@httpd.apache.org
> Subject: Re: Mitigation Range header (Was: DoS with
> mod_deflate & range requests)
>
> On Wed, Aug 24, 2011 at 7:57 AM, "Plüm, Rüdiger, VF-Group"
> <ruediger.pl...@vodafone.com> wrote:
> >
> >
> >> -----Original Message-----
> >> From: Dirk-Willem van Gulik
> >> Sent: Mittwoch, 24. August 2011 13:33
> >> To: dev@httpd.apache.org
> >> Subject: Mitigation Range header (Was: DoS with mod_deflate &
> >> range requests)
> >>
> >> Folks,
> >>
> >> This issue is now active in the wild. So some unified/simple
> >> comms is needed.
> >>
> >> What is the wisdom on mitigation advise/briefing until a
> >> proper fix it out - in order of ease:
> >>
> >> -> Where possible - disable mod_deflate
> >>
> >> => we sure this covers all cases - or this is a good
> stopgap ?
> >
> > As said this has *nothing* to do with mod_deflate. This was
> IMHO just
> > a guess by the original author of the tool.
> >
> >>
> >> -> Where possible - set LimitRequestFieldSize to a small value
> >>
> >> -> Suggesting of 128 fine ?
> >>
> >> -> Where this is not possible (e.g. long cookies, auth
> >> headers of serious size) consider using
> >> mod_rewrite to not accept more than a few commas
> >>
> >> => anyone a config snipped for this ?
> >
> > How about the following (untested) rewrite rule. It should
> only allow 5
> > ranges at max.
> >
> > RewriteCond %{HTTP:range} ^bytes=[^,]+(,[^,]+){0,4}$
> > RewriteRule .* - [F]
>
> Is [E=no-gzip] enough to avoid the downward spiral, for the sake of
> false positives?
As said it has IMHO nothing to do with mod_deflate. It is an issue of the byte
range filter.
>
> But your regex matches when there's just a couple of ranges -- maybe
> {4} and no $?
Of course it should have been:
RewriteCond %{HTTP:range} !^bytes=[^,]+(,[^,]+){0,4}$
RewriteRule .* - [F]
As said untested. Thanks for remote eyes.
Regards
Rüdiger
