Forum Discussion
madi_56757
Nimbostratus
NimbostratusApache Killer
hello all,
I need help for following rule
We need an irule to avoid an exploit on Apache
Apache syntax
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(HEAD|GET) [NC]
RewriteCond %{HTTP:Range} ([0-9]*-[0-9]*)(\s*,\s*[0-9]*-[0-9]*)+
RewriteRule .* - [F]
14 Replies
dlg_23340Cirrus
when HTTP_REQUEST { if { [HTTP::header exists "Range"] and ([HTTP::header "Range"] matches_regex {(,.*?){40,}}) } { log local0. " Range attack CVE-2011-3192 detected from [IP::client_addr]. [llength [split [HTTP::header "Range"], ","]] ranges requested." drop } }
madi_56757it seem to work
thank you very much for your help
our first tests looking good and now we start an power test
best regrads
Markus
naladar_65658Altostratus
Cool iRule dlg! :)- dlg_23340After another announcement from the apache folks and little help from smp offline, we have this:
when HTTP_REQUEST { HTTP::header remove Request-Range if { [HTTP::header exists "Range"] and ([HTTP::header "Range"] matches_regex {(,.*?){40,}}) } { log local0. " Range attack CVE-2011-3192 detected from [IP::client_addr]. [llength [split [HTTP::header "Range"], ","]] ranges requested." drop return } } - zero_39359May I know is there any difference for"(,.*?){40,}" on irule and "(,.*?){5,}" on CVE-2011-3192, it seem the counter is difference, your irule is count for 40 and the CVE-2011-3192 is count for 5 range, thanks!
- dlg_23340zero, the 5 from the CVE seemed too restrictive, given the legitimate uses of the Range header. It ends up we could withstand quite a few simultaneous attacks at 40, so it seemed like a good balance between blocking bad traffic and allowing good traffic.
The CVE also says:The number 5 is arbitrary. Several 10's should not be an issue and may be required for sites which for example serve PDFs to very high end eReaders or use things such complex http based video streaming.
Between testing and the CVE, we're comfortable with 40. ymmv. - madi_56757
hi,
concerning the newest rule
when HTTP_REQUEST
{ HTTP::header remove Request-Range
if { [HTTP::header exists "Range"] and ([HTTP::header "Range"] matches_regex {(,.*?){40,}}) }
{ log local0. " Range attack CVE-2011-3192 detected from [IP::client_addr] to [HTTP::host]. [llength [split [HTTP::header "Range"], ","]] ranges requested." drop return } }
I got following error
Operation not supported (line 1) invoked from within "HTTP::header remove Request-Range"
we are using a version of 9.4.7
interestingly it is possible to apply the rule and if we are testing it with a range more then 40 it works!
Range attack CVE-2011-3192 detected from XXX. 1302 ranges requested.
any ideas
thanks for any statments
madi - dlg_23340madi, check to see that you don't have any HTTP::redirect directives before this iRule. We saw the same error, and it appears that modifying headers after issuing a redirect causes the behavior you are seeing.
- dlg_23340Happy to help. Glad to save someone a day of looking :]
Michael_YatesAn iRule that we decided to go with had a few minor alterations.
We decided not to drop the request just in case this was a valid request (far out possibility I know). Instead we decided to strip the range off and serve the request and alter the logging to add the URL Host Value into the logging request (in case you have to use the same defensive iRule on multiple Virtual Servers on the same BIG-IP, you will know or be able to track down which one got "attacked").
Thank you for the research and iRule dlg and smp. Came in handy 🙂when HTTP_REQUEST { if { [HTTP::header exists "Range"] and ([HTTP::header "Range"] matches_regex {(,.*?){40,}}) } { log local0. " Range attack CVE-2011-3192 detected from [IP::client_addr] on Host [HTTP::host]. [llength [split [HTTP::header "Range"], ","]] ranges requested." HTTP::header remove Range return } }
