Forum Discussion

madi_56757's avatar
madi_56757
Icon for Nimbostratus rankNimbostratus
Aug 25, 2011

Apache Killer

hello all,     I need help for following rule   We need an irule to avoid an exploit on Apache       Apache syntax       RewriteEngine On   RewriteCond %{REQUEST_METHOD}...
application delivery
dev
devops
iRules
James_Denton_12's avatar
James_Denton_12
Icon for Nimbostratus rankNimbostratus
Mar 23, 2012
Jason,

Not sure if you're monitoring this, but the following seems like a solution without using regex: 


when HTTP_REQUEST {
    if { [HTTP::header exists "Range"] } {
    set tot_ranges [llength [split [HTTP::header "Range"], ","]]
    if { $tot_ranges >= 40 } {
    log local0. " Range attack CVE-2011-3192 detected from [IP::client_addr] on Host [HTTP::host].  [llength [split [HTTP::header "Range"], ","]] ranges requested."
        HTTP::header remove Range
        drop
        }
        return
    }
}

Seems to provide the same results on my LTM VE. Not sure what the performance benefit looks like.

James Denton

james.denton@rackspace.com