Forum Discussion
madi_56757
Nimbostratus
Aug 25, 2011Apache Killer
hello all,
I need help for following rule
We need an irule to avoid an exploit on Apache
Apache syntax
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(HEAD|GET) [NC]
RewriteCond %{HTTP:Range} ([0-9]*-[0-9]*)(\s*,\s*[0-9]*-[0-9]*)+
RewriteRule .* - [F]
14 Replies
- dlg_23340
Cirrus
when HTTP_REQUEST { if { [HTTP::header exists "Range"] and ([HTTP::header "Range"] matches_regex {(,.*?){40,}}) } { log local0. " Range attack CVE-2011-3192 detected from [IP::client_addr]. [llength [split [HTTP::header "Range"], ","]] ranges requested." drop } }
- madi_56757
Nimbostratus
it seem to work - naladar_65658
Altostratus
Cool iRule dlg! :) - dlg_23340
Cirrus
After another announcement from the apache folks and little help from smp offline, we have this:when HTTP_REQUEST { HTTP::header remove Request-Range if { [HTTP::header exists "Range"] and ([HTTP::header "Range"] matches_regex {(,.*?){40,}}) } { log local0. " Range attack CVE-2011-3192 detected from [IP::client_addr]. [llength [split [HTTP::header "Range"], ","]] ranges requested." drop return } }
- zero_39359
Nimbostratus
May I know is there any difference for"(,.*?){40,}" on irule and "(,.*?){5,}" on CVE-2011-3192, it seem the counter is difference, your irule is count for 40 and the CVE-2011-3192 is count for 5 range, thanks! - dlg_23340
Cirrus
zero, the 5 from the CVE seemed too restrictive, given the legitimate uses of the Range header. It ends up we could withstand quite a few simultaneous attacks at 40, so it seemed like a good balance between blocking bad traffic and allowing good traffic.The number 5 is arbitrary. Several 10's should not be an issue and may be required for sites which for example serve PDFs to very high end eReaders or use things such complex http based video streaming.
- madi_56757
Nimbostratus
hi,
concerning the newest rule
- dlg_23340
Cirrus
madi, check to see that you don't have any HTTP::redirect directives before this iRule. We saw the same error, and it appears that modifying headers after issuing a redirect causes the behavior you are seeing. - dlg_23340
Cirrus
Happy to help. Glad to save someone a day of looking :] - Michael_Yates
Nimbostratus
An iRule that we decided to go with had a few minor alterations.when HTTP_REQUEST { if { [HTTP::header exists "Range"] and ([HTTP::header "Range"] matches_regex {(,.*?){40,}}) } { log local0. " Range attack CVE-2011-3192 detected from [IP::client_addr] on Host [HTTP::host]. [llength [split [HTTP::header "Range"], ","]] ranges requested." HTTP::header remove Range return } }
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects