> -----Original Message----- > From: Eric Covener [mailto:cove...@gmail.com] > Sent: Mittwoch, 24. August 2011 14:05 > To: dev@httpd.apache.org > Subject: Re: Mitigation Range header (Was: DoS with > mod_deflate & range requests) > > On Wed, Aug 24, 2011 at 7:57 AM, "Plüm, Rüdiger, VF-Group" > <ruediger.pl...@vodafone.com> wrote: > > > > > >> -----Original Message----- > >> From: Dirk-Willem van Gulik > >> Sent: Mittwoch, 24. August 2011 13:33 > >> To: dev@httpd.apache.org > >> Subject: Mitigation Range header (Was: DoS with mod_deflate & > >> range requests) > >> > >> Folks, > >> > >> This issue is now active in the wild. So some unified/simple > >> comms is needed. > >> > >> What is the wisdom on mitigation advise/briefing until a > >> proper fix it out - in order of ease: > >> > >> -> Where possible - disable mod_deflate > >> > >> => we sure this covers all cases - or this is a good > stopgap ? > > > > As said this has *nothing* to do with mod_deflate. This was > IMHO just > > a guess by the original author of the tool. > > > >> > >> -> Where possible - set LimitRequestFieldSize to a small value > >> > >> -> Suggesting of 128 fine ? > >> > >> -> Where this is not possible (e.g. long cookies, auth > >> headers of serious size) consider using > >> mod_rewrite to not accept more than a few commas > >> > >> => anyone a config snipped for this ? > > > > How about the following (untested) rewrite rule. It should > only allow 5 > > ranges at max. > > > > RewriteCond %{HTTP:range} ^bytes=[^,]+(,[^,]+){0,4}$ > > RewriteRule .* - [F] > > Is [E=no-gzip] enough to avoid the downward spiral, for the sake of > false positives?
As said it has IMHO nothing to do with mod_deflate. It is an issue of the byte range filter. > > But your regex matches when there's just a couple of ranges -- maybe > {4} and no $? Of course it should have been: RewriteCond %{HTTP:range} !^bytes=[^,]+(,[^,]+){0,4}$ RewriteRule .* - [F] As said untested. Thanks for remote eyes. Regards Rüdiger