RE: DoS with mod_deflate & range requests

> -Original Message- > From: Stefan Fritsch [mailto:s...@sfritsch.de] > Sent: Dienstag, 23. August 2011 13:09 > To: dev@httpd.apache.org > Subject: DoS with mod_deflate & range requests > > http://seclists.org/fulldisclosure/2011/Aug/175 > > I haven't looked into it so far. And I am n

Re: DoS with mod_deflate & range requests

2011/8/23 Stefan Fritsch : > http://seclists.org/fulldisclosure/2011/Aug/175 > > I haven't looked into it so far. And I am not sure I will have time today. > it is sending HEAD requests with lots of ranges HEAD / HTTP/1.1 Host: Range:bytes=0-,5-1,5-2,5-3,. the code in ap_byterange_filte

Re: DoS with mod_deflate & range requests

2011/8/23 Lazy : > 2011/8/23 Stefan Fritsch : >> http://seclists.org/fulldisclosure/2011/Aug/175 >> >> I haven't looked into it so far. And I am not sure I will have time today. >> > > it is sending HEAD requests with lots of  ranges > HEAD / HTTP/1.1 > Host: > Range:bytes=0-,5-1,5-2,5-3,.

Re: DoS with mod_deflate & range requests

On Tue, Aug 23, 2011 at 02:15:16PM +0200, Lazy wrote: 2011/8/23 Stefan Fritsch : > http://seclists.org/fulldisclosure/2011/Aug/175 > > I haven't looked into it so far. And I am not sure I will have time today. > it is sending HEAD requests with lots of ranges HEAD / HTTP/1.1 Host: Range:by

Re: DoS with mod_deflate & range requests

On 8/23/2011 6:08 AM, Stefan Fritsch wrote: > http://seclists.org/fulldisclosure/2011/Aug/175 > > I haven't looked into it so far. And I am not sure I will have time today. Until range can be completely addressed, avoiding excessive numbers of ranges (tricky) or overlapping ranges (pretty straigh

Re: DoS with mod_deflate & range requests

On Tuesday 23 August 2011, William A. Rowe Jr. wrote: > On 8/23/2011 6:08 AM, Stefan Fritsch wrote: > > http://seclists.org/fulldisclosure/2011/Aug/175 > > > > I haven't looked into it so far. And I am not sure I will have > > time today. > > Until range can be completely addressed, avoiding exce

Re: DoS with mod_deflate & range requests

please tell me how to unsubscribe from this mailing list On Tue, Aug 23, 2011 at 9:49 PM, Stefan Fritsch wrote: > On Tuesday 23 August 2011, William A. Rowe Jr. wrote: > > On 8/23/2011 6:08 AM, Stefan Fritsch wrote: > > > http://seclists.org/fulldisclosure/2011/Aug/175 > > > > > > I haven't look

Re: DoS with mod_deflate & range requests

On 8/23/2011 1:49 PM, Stefan Fritsch wrote: > > From looking at the code, I think the problem is the bucket structs. > With N the number of requested ranges, the initial brigade is > partitioned into 2*N buckets at the maximum. Then those buckets are > copied into the output brigade N times, w

Re: DoS with mod_deflate & range requests

On Tue, Aug 23, 2011 at 3:32 PM, William A. Rowe Jr. wrote: > > I suggest we should be parsing and reassembling the list before we > start the bucket logic. > > I propose we satisfy range requests in the only sensible manner, returning > the ranges in sequence, > yeah, overlapping ranges should

Re: DoS with mod_deflate & range requests

On 8/23/2011 4:00 PM, Greg Ames wrote: > > On Tue, Aug 23, 2011 at 3:32 PM, William A. Rowe Jr. wrote: > > I suggest we should be parsing and reassembling the list before we > start the bucket logic. > > I propose we satisfy range requests in the only sensible manner, returning >

Re: DoS with mod_deflate & range requests

Am 23.08.2011 20:52, schrieb Mohamed Dawaina: > please tell me how to unsubscribe from this mailing list what about looking in the mail-header or login with your acount you have registered? Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubsc

Re: DoS with mod_deflate & range requests

On Tuesday 23 August 2011, William A. Rowe Jr. wrote: > On 8/23/2011 4:00 PM, Greg Ames wrote: > > On Tue, Aug 23, 2011 at 3:32 PM, William A. Rowe Jr. wrote: > > I suggest we should be parsing and reassembling the list > > before we start the bucket logic. > > > > I propose we sat

Re: DoS with mod_deflate & range requests

On Aug 23, 2011, at 2:34 PM, William A. Rowe Jr. wrote: > On 8/23/2011 4:00 PM, Greg Ames wrote: >> >> On Tue, Aug 23, 2011 at 3:32 PM, William A. Rowe Jr. wrote: >> >>I suggest we should be parsing and reassembling the list before we >>start the bucket logic. >> >>I propose we sat

Re: DoS with mod_deflate & range requests

On Wednesday 24 August 2011, Roy T. Fielding wrote: > My suggestion is to reject any request with overlapping ranges or > more than five ranges with a 416, and to send 200 for any request > with 4-5 ranges. There is simply no need to support random access > in HTTP. Even with WebDAV? BTW, I thin

RE: DoS with mod_deflate & range requests

> -Original Message- > From: Stefan Fritsch > Sent: Mittwoch, 24. August 2011 00:28 > To: dev@httpd.apache.org > Subject: Re: DoS with mod_deflate & range requests > > On Tuesday 23 August 2011, William A. Rowe Jr. wrote: > > On 8/23/2011 4:00 PM, Gre

Re: DoS with mod_deflate & range requests

On Tue, Aug 23, 2011, Roy T. Fielding wrote: And the spec says ... When a client requests multiple ranges in one request, the server SHOULD return them in the order that they appeared in the request. My suggestion is to reject any request with overlapping ranges or more than five rang

Re: DoS with mod_deflate & range requests

On Aug 23, 2011, at 9:34 PM, Roy T. Fielding wrote: > On Aug 23, 2011, at 2:34 PM, William A. Rowe Jr. wrote: > >> On 8/23/2011 4:00 PM, Greg Ames wrote: >>> >>> On Tue, Aug 23, 2011 at 3:32 PM, William A. Rowe Jr. wrote: >>> >>> I suggest we should be parsing and reassembling the list befor

Re: DoS with mod_deflate & range requests

On 24 Aug 2011, at 16:35, Tim Bannister wrote: > On Tue, Aug 23, 2011, Roy T. Fielding wrote: >> And the spec says ... >> >> When a client requests multiple ranges in one request, the >> server SHOULD return them in the order that they appeared in the >> request. >> >> My suggestion is to

Re: DoS with mod_deflate & range requests

On Aug 24, 2011, at 4:05 AM, Plüm, Rüdiger, VF-Group wrote: > > Patch looks good, but some comments: > > As far as I can see the following range request would not get merged: > > Range: bytes=0-0,1-1,2-2 > > into a 0-2 range as need_sort would remain 0. OTOH > > Range: bytes=0-0,0-1,1-2 > >

RE: DoS with mod_deflate & range requests

> -Original Message- > From: Dirk-Willem van Gulik [mailto:dirk-willem.van.gu...@bbc.co.uk] > Sent: Mittwoch, 24. August 2011 17:46 > To: dev@httpd.apache.org > Subject: Re: DoS with mod_deflate & range requests > > > On 24 Aug 2011, at 16:35, Tim Bannist

Re: DoS with mod_deflate & range requests

Sorting isn't allowed but I get the impression that merging is OK… Roy can confirm… If not, then some sort of runtime limit on the number of allowable ranges plus a 416 w/ overlapping ranges makes the most sense. On Aug 24, 2011, at 11:55 AM, Plüm, Rüdiger, VF-Group wrote: > > Hm. If I got it ri

RE: DoS with mod_deflate & range requests

> -Original Message- > From: Jim Jagielski [mailto:j...@jagunet.com] > Sent: Mittwoch, 24. August 2011 17:48 > To: dev@httpd.apache.org > Subject: Re: DoS with mod_deflate & range requests > > > On Aug 24, 2011, at 4:05 AM, Plüm, Rüdiger, VF-Group wrote:

RE: DoS with mod_deflate & range requests

> -Original Message- > From: Jim Jagielski [mailto:j...@jagunet.com] > Sent: Mittwoch, 24. August 2011 18:02 > To: dev@httpd.apache.org > Subject: Re: DoS with mod_deflate & range requests > > Sorting isn't allowed but I get the impression that merg

Re: DoS with mod_deflate & range requests

On 8/24/2011 10:55 AM, "Plüm, Rüdiger, VF-Group" wrote: > > Hm. If I got it right what Roy says above about the spec sorting and merging > is > not an option as we need to stick to the order and number of ranges the client > requested. No. Merging -is- recommended. 10.4.17 416 Requested Ran

Re: DoS with mod_deflate & range requests

On Aug 24, 2011, at 12:05 PM, Plüm, Rüdiger, VF-Group wrote: > > >> -Original Message- >> From: Jim Jagielski [mailto:j...@jagunet.com] >> Sent: Mittwoch, 24. August 2011 18:02 >> To: dev@httpd.apache.org >> Subject: Re: DoS with mod_deflate &

Re: DoS with mod_deflate & range requests

On Aug 24, 2011, at 12:22 PM, William A. Rowe Jr. wrote: > > 0-, 40-50 becomes 0- > 0-499, 400-599 becomes 0-599 > 1000-1075, 200-250, 1051-1100 becomes 1000-1100, 200-250 This goes against Roy's recommendation to 416 overlaps… But I do see that an overlap is specifically noted in an exam

Re: DoS with mod_deflate & range requests

On Wednesday 24 August 2011, Jim Jagielski wrote: > On Aug 24, 2011, at 12:05 PM, Plüm, Rüdiger, VF-Group wrote: > >> -Original Message- > >> From: Jim Jagielski [mailto:j...@jagunet.com] > >> Sent: Mittwoch, 24. August 2011 18:02 > >> To: dev@http

Re: DoS with mod_deflate & range requests

On 24 Aug 2011, at 17:47, Stefan Fritsch wrote: On Wednesday 24 August 2011, Jim Jagielski wrote: >> On Aug 24, 2011, at 12:05 PM, Plüm, Rüdiger, VF-Group wrote: >>> >>> But merging might require sorting... >> >> then we don't do that merge, imo… In other words, we progress thru the set >> of ra

Re: DoS with mod_deflate & range requests

On Wed, Aug 24, 2011 at 12:42 PM, Jim Jagielski wrote: > > On Aug 24, 2011, at 12:22 PM, William A. Rowe Jr. wrote: > > > > > 0-, 40-50 becomes 0- > > > 0-499, 400-599 becomes 0-599 > > > 1000-1075, 200-250, 1051-1100 becomes 1000-1100, 200-250 > > This goes against Roy's recommendation to 416

Re: DoS with mod_deflate & range requests

On Aug 24, 2011, at 2:43 PM, Tim Bannister wrote: > On 24 Aug 2011, at 17:47, Stefan Fritsch wrote: > On Wednesday 24 August 2011, Jim Jagielski wrote: >>> On Aug 24, 2011, at 12:05 PM, Plüm, Rüdiger, VF-Group wrote: But merging might require sorting... >>> >>> then we don't do that m

Re: DoS with mod_deflate & range requests

On Aug 24, 2011, at 3:10 PM, Greg Ames wrote: > > > On Wed, Aug 24, 2011 at 12:42 PM, Jim Jagielski wrote: > > >From the above, I would be more comfortable with > > 0-, 40-50 ---> 0- > 0-499, 400-599 ---> 0-599 > 1000-1075, 1025-1088, 200-250, 1051-1100 --> 1000-1088, 200-250, 1051-110

Re: DoS with mod_deflate & range requests

On 8/24/2011 11:42 AM, Jim Jagielski wrote: > > On Aug 24, 2011, at 12:22 PM, William A. Rowe Jr. wrote: > >> 0-, 40-50 becomes 0- > >> 0-499, 400-599 becomes 0-599 > >> 1000-1075, 200-250, 1051-1100 becomes 1000-1100, 200-250 > > This goes against Roy's recommendation to 416 overlaps… But

Re: DoS with mod_deflate & range requests

On Aug 24, 2011, at 3:34 PM, William A. Rowe Jr. wrote: > On 8/24/2011 11:42 AM, Jim Jagielski wrote: >> >> On Aug 24, 2011, at 12:22 PM, William A. Rowe Jr. wrote: >> >>> 0-, 40-50 becomes 0- >> >>> 0-499, 400-599 becomes 0-599 >> >>> 1000-1075, 200-250, 1051-1100 becomes 1000-1100, 200-250

Re: DoS with mod_deflate & range requests

On 24 Aug 2011, at 20:13, Jim Jagielski wrote: >> Another option is just to return 200. Servers MAY ignore the Range header. I >> prefer this because existing clients already handle that case well, and >> there's no opportunity for a client to exploit this (“malicious” clients >> that want the

Re: DoS with mod_deflate & range requests

On Wed, Aug 24, 2011 at 3:19 PM, Jim Jagielski wrote: > > > > > If we only merge adjacent ascending ranges, then it seems like an > attacker could just craft a header where the ranges jump around and dodge > our fix. > > > > I think no matter what, we should still have some sort of > upper limit

Re: DoS with mod_deflate & range requests

On 24 Aug 2011, at 21:39, Greg Ames wrote: > On Wed, Aug 24, 2011 at 3:19 PM, Jim Jagielski wrote: > > > > > If we only merge adjacent ascending ranges, then it seems like an attacker > > could just craft a header where the ranges jump around and dodge our fix. > > > > I think no matter what,

Re: DoS with mod_deflate & range requests

On Aug 24, 2011, at 8:35 AM, Tim Bannister wrote: > On Tue, Aug 23, 2011, Roy T. Fielding wrote: >> And the spec says ... >> When a client requests multiple ranges in one request, the >> server SHOULD return them in the order that they appeared in the >> request. >> My suggestion is to rejec

Re: DoS with mod_deflate & range requests

On Aug 24, 2011, at 8:55 AM, Plüm, Rüdiger, VF-Group wrote: > Hm. If I got it right what Roy says above about the spec sorting and merging > is > not an option as we need to stick to the order and number of ranges the client > requested. But we can deny overlapping with a 416. We should implement

Re: DoS with mod_deflate & range requests

On 8/24/2011 3:45 PM, Dirk-WIllem van Gulik wrote: > > On 24 Aug 2011, at 21:39, Greg Ames wrote: > >> On Wed, Aug 24, 2011 at 3:19 PM, Jim Jagielski > > wrote: >> >> >> > >> > If we only merge adjacent ascending ranges, then it seems like an >> attacker could >>

Re: DoS with mod_deflate & range requests

On 8/24/2011 3:12 PM, Jim Jagielski wrote: > > On Aug 24, 2011, at 3:34 PM, William A. Rowe Jr. wrote: > >> On 8/24/2011 11:42 AM, Jim Jagielski wrote: >>> >>> On Aug 24, 2011, at 12:22 PM, William A. Rowe Jr. wrote: >>> 0-, 40-50 becomes 0- >>> 0-499, 400-599 becomes 0-599 >>> 100

Re: DoS with mod_deflate & range requests

On Wednesday 24 August 2011, Dirk-WIllem van Gulik wrote: > > I think no matter what, we should still have some sort of > > upper limit on the number of range-sets we accept… after all, > > merge doesn't prevent jumping around ;) > > > > > > > > > > The problem I have with the upper limit on the

Re: DoS with mod_deflate & range requests

I'm cool w/ that… treat non-ascending ranges as potential hinky and count those and only allow a certain number of them… Still not sure if we should count overlaps as bad or not… that RFC example troubles me: 14.35.1 Byte Ranges - Several legal but not canonical specifications of the second

Re: DoS with mod_deflate & range requests

On Aug 24, 2011, at 5:00 PM, William A. Rowe Jr. wrote: > > At least, after 256 ranges or so, fall back to a 200 response in lieu of > a 400/416 response. > +1 on not sending 416 if we hit some limit and fall back on 200.

Re: DoS with mod_deflate & range requests

On 8/24/2011 3:56 PM, Roy T. Fielding wrote: > On Aug 24, 2011, at 8:35 AM, Tim Bannister wrote: > >> On Tue, Aug 23, 2011, Roy T. Fielding wrote: >>> And the spec says ... >>> When a client requests multiple ranges in one request, the >>> server SHOULD return them in the order that they appea

Re: DoS with mod_deflate & range requests

On 8/24/2011 4:06 PM, Jim Jagielski wrote: > I'm cool w/ that… treat non-ascending ranges as potential hinky > and count those and only allow a certain number of them… > > Still not sure if we should count overlaps as bad or not… > that RFC example troubles me: > > 14.35.1 Byte Ranges > - S

Re: DoS with mod_deflate & range requests

On Wed, Aug 24, 2011 at 5:06 PM, Jim Jagielski wrote: > I'm cool w/ that… treat non-ascending ranges as potential hinky > and count those and only allow a certain number of them… > > Still not sure if we should count overlaps as bad or not… > that RFC example troubles me: > > 14.35.1 Byte Ranges

Re: DoS with mod_deflate & range requests

On Aug 24, 2011, at 1:56 PM, Roy T. Fielding wrote: > To be clear, I am more than willing to rewrite the part on > Ranges such that the above is explicitly forbidden in HTTP. > I am not sure what the WG would agree to, but I am quite certain > that part of the reason we have an Apache server is to

Re: DoS with mod_deflate & range requests

On 8/24/2011 4:54 PM, Roy T. Fielding wrote: > On Aug 24, 2011, at 1:56 PM, Roy T. Fielding wrote: >> To be clear, I am more than willing to rewrite the part on >> Ranges such that the above is explicitly forbidden in HTTP. >> I am not sure what the WG would agree to, but I am quite certain >> that

Re: DoS with mod_deflate & range requests

On Aug 24, 2011, at 4:39 PM, William A. Rowe Jr. wrote: > On 8/24/2011 4:54 PM, Roy T. Fielding wrote: >> On Aug 24, 2011, at 1:56 PM, Roy T. Fielding wrote: >>> To be clear, I am more than willing to rewrite the part on >>> Ranges such that the above is explicitly forbidden in HTTP. >>> I am not

Re: DoS with mod_deflate & range requests

On 8/24/2011 6:43 PM, Roy T. Fielding wrote: > On Aug 24, 2011, at 4:39 PM, William A. Rowe Jr. wrote: > >> On 8/24/2011 4:54 PM, Roy T. Fielding wrote: >>> On Aug 24, 2011, at 1:56 PM, Roy T. Fielding wrote: To be clear, I am more than willing to rewrite the part on Ranges such that the

Re: DoS with mod_deflate & range requests

On Aug 24, 2011, at 4:56 PM, Roy T. Fielding wrote: > On Aug 24, 2011, at 8:35 AM, Tim Bannister wrote: > >> On Tue, Aug 23, 2011, Roy T. Fielding wrote: >>> And the spec says ... >>> When a client requests multiple ranges in one request, the >>> server SHOULD return them in the order that the

Re: DoS with mod_deflate & range requests

On Aug 24, 2011, at 5:54 PM, Roy T. Fielding wrote: > On Aug 24, 2011, at 1:56 PM, Roy T. Fielding wrote: >> To be clear, I am more than willing to rewrite the part on >> Ranges such that the above is explicitly forbidden in HTTP. >> I am not sure what the WG would agree to, but I am quite certai

Re: DoS with mod_deflate & range requests

On Thursday 25 August 2011, Jim Jagielski wrote: > OK then… we seem to be coalescing into some consensus here… > basically, if the client sends stuff which is brain-dead stupid, > we simply 2000 and send the whole kit-and-kaboodle. > > I'd like to propose that we update the byterange filter to per

RE: DoS with mod_deflate & range requests

> -Original Message- > From: Stefan Fritsch > Sent: Donnerstag, 25. August 2011 08:21 > To: dev@httpd.apache.org > Subject: Re: DoS with mod_deflate & range requests > > On Thursday 25 August 2011, Jim Jagielski wrote: > > OK then... we seem to be coal

Re: DoS with mod_deflate & range requests

On Aug 25, 2011, at 2:56 AM, Plüm, Rüdiger, VF-Group wrote: > > >> -Original Message- >> From: Stefan Fritsch >> Sent: Donnerstag, 25. August 2011 08:21 >> To: dev@httpd.apache.org >> Subject: Re: DoS with mod_deflate & range requests >>