> -----Original Message----- > From: Dirk-WIllem van Gulik [mailto:[email protected]] > Sent: Mittwoch, 24. August 2011 14:40 > To: [email protected] > Cc: Plüm, Rüdiger, VF-Group > Subject: Re: Mitigation Range header > > > On 24 Aug 2011, at 13:22, Florian Weimer wrote: > > > * Plüm, Rüdiger, VF-Group: > > > >> As said this has *nothing* to do with mod_deflate. This > was IMHO just > >> a guess by the original author of the tool. > > > > This matches my testing, too. I see a significant peak in > RAM usage on > > a server where "apachectl -M" does not print anything with > the string > > "deflate" (so I assume that mod_deflate is not enabled). > This is with > > 2.2.9-10+lenny9 on Debian. > > > > If it is more difficult to check if mod_deflate is enabled, > the advisory > > should tell how to check your server. If the method I used is the > > correct one, I don't think it's reasonable to suggest disabling > > mod_deflate as a mitigation because it does not seem to > make much of a > > difference. > > Hmm - when I remove mod_deflate (i.e. explicitly as it is the > default in all our installs) and test on a / entry which is a > static file which is large (100k)* - then I cannot get apache > on its knees on a freebsd machine - saturating the 1Gbit > connection it has (Note: the attack machines *are* getting > saturated). The moment i put in mod_deflate, mod_external > filter, etc - it is much easier to get deplete enough > resources to notice. > > Dw. > > *: as I cannot reproduce the issue with very small index.html files.
Have you tried if the same happens with mod_deflate, but with one of the the proposed mitigations in place? As said my guess is that this might be an issue with mod_deflate that is unrelated to the Range request issue. Regards Rüdiger
