Forum Discussion
Latest Apache range headers DOS vulnerability signature suggestion
Hi ,
You probably heard about this latest Apace DOS vulnerability.
http://www.kb.cert.org/vuls/id/405811
Here is a suggestion to add 2 signatures that will block such attack (based on the assumption that no more than 5 range values)
1. headercontent:"Range"; nocase; pcre:"/(?:Request-)?Range:[\t ]*?bytes[\t ]*?=(?:[\t\d-]+?,){5}/Hi";
2. headercontent:"Range"; nocase; pcre:"/(?:Request-)?Range:[^\r\n]{256}/Hi";
2 Replies
BT_90520Nimbostratus
This is another good F5 article on several options to prevent this attack using BIG-IP solutions
http://devcentral.f5.com/weblogs/macvittie/archive/2011/08/26/f5-friday-zero-day-apache-exploit-zero-problem.aspx
So for more than 5 ranges requested, would I say the suggested (extracted from article) below is also fine, same as Option (1) from Ido except just need to change to {5} to {5,} ?
>> headercontent:"Range"; nocase; pcre:"/Range:[\t ]*bytes=(([0-9\- ])+,){5,}/Hi";
By the way, just curious why the need for Option (2) ?
Pardon me as I am new to iRule syntax. Thanks in advance.- BT_90520There is also a recent enhancement of Killer Apache @ http://www.pentestit.com/killapache-redone-ddos/
Difference Between Old and New Modified Exploit:
< $p = “HEAD / HTTP/1.1rnHost: $ARGV[0]rnRange:bytes=0-$prnAccept-Encoding: gziprnConnection: closernrn”; — > $p = “HEAD “.($ARGV[2] ? $ARGV[2] : “/”).”HTTP/1.1rnHost: $ARGV[0]rnRange:bytes=0-$prnAccept-Encoding: gziprnConnection: closernrn”;
