Reverse the order a litte bit: 2) , 3), 1) (as 1) is likely to break the most things compared to 2) and 3))
Regarding 2) see the ongoing discussion between Eric and me to find the correct expression. Regards Rüdiger > -----Original Message----- > From: Dirk-WIllem van Gulik > Sent: Mittwoch, 24. August 2011 15:08 > To: Dirk-Willem van Gulik > Cc: dev@httpd.apache.org; secur...@httpd.apache.org > Subject: Re: CVE-2011-3192: Range header DoS vulnerability in > Apache 1.3 and Apache 2 (DRAFT-3) > > * Folks - do we also need to add Request-Range ? > > * Updated with Rudigers comments., Eric, Florians > > * Consensus that the deflate stuff needs to go out reflected. > > * More Comments please. Esp. on the quality and > realisticness of the mitigtions. > > * Is this the right list (and order) of the mitigations - > or should ReWrite be first ? > > * Timeline mentioning fine (we've never done that before) > -- or best avoided ? > > My plan is to wait for the US to fully wake up - and then > call for a few quick +1's to get this out - ideally before 1600 zulu. > > Thanks, > > Dw. > > > > > > > > Title: CVE-2011-3192: Range header DoS > vulnerability in Apache 1.3 and Apache 2 > Date: 20110824 1600Z > # Last Updated: 20110824 1600Z > Product: Apache Web Server > Versions: Apache 1.3 all versions, Apache 2 all versions > > Description: > ------------ > > A denial of service vulnerability has been found in the way > the multiple overlapping ranges are handled by apache > (http://seclists.org/fulldisclosure/2011/Aug/175). An attack > tool is circulating in the wild. Active use of this tools has > been observed. > > The attack can be done remotely and with a modest number of > requests leads to very significant memory and CPU usage. > > The default apache installation is vulnerable. > > There is currently no patch/new version of apache which fixes > this vulnerability. This advisory will be updated when a long > term fix is available. A fix is expected in the next 96 hours. > > Mitigation: > ------------ > > However are several immediate options to mitigate this issue > until that time: > > 1) Use mod_headers to dis-allow the use of Range headers: > > RequestHeader unset Range > > Note that this may break certain clients - such as > those used for > e-Readers and progressive/http-streaming video. > > 2) Use mod_rewrite to limit the number of ranges: > > RewriteCond %{HTTP:range} !^bytes=[^,]+(,[^,]+){0,4}$ > RewriteRule .* - [F] > > 3) Limit the size of the request field to a few hundred > bytes. Note that while this > keeps the offending Range header short - it may break > other headers; such as sizable > cookies or security fields. > > LimitRequestFieldSize 200 > > Note that as the attack evolves in the field you are > likely to have > to further limit this and/or impose other > LimitRequestFields limits. > > See: > http://httpd.apache.org/docs/2.2/mod/core.html#limitrequestfieldsize > > 3) Deploy a Range header count module as a temporary > stopgap measure: > > http://people.apache.org/~dirkx/mod_rangecnt.c > > 5) Apply any of the current patches under discussion - such as: > > > http://mail-archives.apache.org/mod_mbox/httpd-dev/201108.mbox > /%3cCAAPSnn2PO-d-C4nQt_TES2RRWiZr7urefhTKPWBC1b+K1Dqc7g@mail.g > mail.com%3e > > > Actions: > ----------- > Apache HTTPD users are advised to investigate wether they are > vulnerable (e.g. allow use of the Range header )and consider > implementing any of the above mitigations immediately. > > When using a third party attack tool to verify vulnerability > - know that most of the versions in the wild currently check > for the presence of mod_deflate; and will (mis)report that > your server is not vulnerable if this module is not present. > This vulnerability is not dependent on presence or absence of > that module. > > Planning: > ------------- > > This advisory will be updated when a fix/patch or new release > is available. A patch or new apache release for Apache 2.0 > and 2.2 is expected in the next 96 hours. Note that, while > popular, Apache 1.3 is deprecated. > > > > > > > >
