LineRate: Range header attack mitigation
Using the LineRate Node.js engine to mitigate HTTP Range header attacks on backend systems
The latest details are emerging about a Range header vulnerability in Microsoft IIS (see MS15-034 and CVE-2015-1635). There have been other previous exploits in the byte range header, as well. F5 has several products available that can protect your backend servers from these exploits, including BIG-IP iRules, ASM (see Mitigating Remote Code Execution in "HTTP.sys" (CVE-2015-1635)), and LineRate.
The LineRate Node.js script below will protect your backend servers by preventing requests with malformed and/or malicious range headers from ever reaching them in the first place. It will check the Range header and return a 416 status code ("Requested Range Not Satisfiable") in any of the following situations:
- A malformed header value
- Too many ranges requested (configurable value, default to 10)
- Range value too large (configurable value, default to 1GB)
(Some might feel that using status code 416 is a little too liberal in this scenario. If that's you, feel free to swap 416 with 403, 400, 404 or whatever else suits you.)
The Script
If you're not already familiar with Node.js and the LineRate scripting engine, be sure to check out the LineRate Scripting Developer's Guide.
Testing
Malformed header:
> curl -w " (%{http_code})\n" -s -H 'Range: malformed' http://172.16.87.157
Malformed header or invalid range (416)
Too many ranges:
> curl -w " (%{http_code})\n" -s -H 'Range: bytes=1-2,2-3,3-4,4-5,5-6,6-7,7-8,9-10' http://172.16.87.157
Too many ranges (416)
Range value too large:
> curl -w " (%{http_code})\n" -s -H 'Range: bytes=1-10000000000' http://172.16.87.157
Range value exceeds allowed maximum (416)
Safe request:
talley@BLD-ML-BTALLEY:~/ > curl -w "%{http_code}\n" -s -H 'Range: bytes=1-100' http://172.16.87.157
200
Please leave a comment or reach out to us with any questions or suggestions and if you're not a LineRate user yet, remember you can try it out for free.