Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: Warning Security issue :: DoS attack with range requests ! |
|
| Author |
|
Steffen
Moderator
Joined: 15 Oct 2005
Posts: 3092
Location: Hilversum, NL, EU
|
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg
|
 Posted: Wed 24 Aug '11 16:03 Post subject: |
 |
|
| That script sends only head requests. Maybe it helps to block those if you haven't already done. |
|
| Back to top |
|
Steffen
Moderator
Joined: 15 Oct 2005
Posts: 3092
Location: Hilversum, NL, EU
|
| Posted: Wed 24 Aug '11 19:12 Post subject: |
|
|
Updated 25 August 2011
| Code: | Apache HTTPD Security ADVISORY
==============================
UPDATE 2
Title: Range header DoS vulnerability Apache HTTPD 1.3/2.x
CVE: CVE-2011-3192
Last Change: 20110824 1800Z
Date: 20110824 1600Z
Product: Apache HTTPD Web Server
Versions: Apache 1.3 all versions, Apache 2 all versions
Description:
============
A denial of service vulnerability has been found in the way the multiple
overlapping ranges are handled by the Apache HTTPD server:
http://seclists.org/fulldisclosure/2011/Aug/175
An attack tool is circulating in the wild. Active use of this tools has
been observed.
The attack can be done remotely and with a modest number of requests can
cause very significant memory and CPU usage on the server.
The default Apache HTTPD installation is vulnerable.
There is currently no patch/new version of Apache HTTPD which fixes this
vulnerability. This advisory will be updated when a long term fix
is available.
A full fix is expected in the next 48 hours.
Background and the 2007 report
==============================
There are two aspects to this vulnerability. One is new, is Apache specific; and
resolved with this server side fix. The other issue is fundamentally a protocol
design issue dating back to 2007 (http://seclists.org/bugtraq/2007/Jan/83). The
contemporary interpretation of the HTTP protocol (currently) requires a server to
return multiple (overlapping) ranges; in the order requested. This means that one
can request a very large range (e.g. from byte 0- to the end) 100's of times
in a single request. Being able to do so is an issue for (propably all) webservers
and currently subject of an IETF discussion to change the protocol:
http://trac.tools.ietf.org/wg/httpbis/trac/ticket/311
Now this advisory is about how Apache its so called internal 'bucket brigades'
deal with serving such "valid" request which internally explode into 100's of
large fetches; and keeping those in memory in an inefficient way.
Mitigation:
============
There are several immediate options to mitigate this issue until a full fix
is available:
1) Use SetEnvIf or mod_rewrite to detect a large number of ranges and then
either ignore the Range: header or reject the request.
Option 1: (Apache 2.0.61+ and 2.2)
# Drop the Range header when more than 5 ranges.
# CVE-2011-3192
SetEnvIf Range (,.*?){5,} bad-range=1
RequestHeader unset Range env=bad-range
# optional logging.
CustomLog logs/range-CVE-2011-3192.log common env=bad-range
Option 2: (Old 2.0 and 1.3)
# Reject request when more than 5 ranges in the Range: header.
# CVE-2011-3192
#
RewriteEngine on
RewriteCond %{HTTP:range} !(^bytes=[^,]+(,[^,]+){0,4}$|^$)
RewriteRule .* - [F]
The number 5 is arbitrary. Several 10's should not be an issue and may be
required for sites which for example serve PDFs to very high end eReaders
or use things such complex http based video streaming.
2) Limit the size of the request field to a few hundred bytes. Note that while
this keeps the offending Range header short - it may break other headers;
such as sizeable cookies or security fields.
LimitRequestFieldSize 200
Note that as the attack evolves in the field you are likely to have
to further limit this and/or impose other LimitRequestFields limits.
See: http://httpd.apache.org/docs/2.2/mod/core.html#limitrequestfieldsize
3) Use mod_headers to completely dis-allow the use of Range headers:
RequestHeader unset Range
Note that this may break certain clients - such as those used for
e-Readers and progressive/http-streaming video.
4) Deploy a Range header count module as a temporary stopgap measure:
http://people.apache.org/~dirkx/mod_rangecnt.c
Precompiled binaries for some platforms are available at:
http://people.apache.org/~dirkx/BINARIES.txt
5) Apply any of the current patches under discussion - such as:
http://mail-archives.apache.org/mod_mbox/httpd-dev/201108.mbox/%3cCAAPSnn2PO-d-C4nQt_TES2RRWiZr7urefhTKPWBC1b+K1Dqc7g@mail.gmail.com%3e
OS and Vendor specific information
==================================
Red Hat: Option 1 cannot be used on Red Hat Enterprise Linux 4.
https://bugzilla.redhat.com/show_bug.cgi?id=732928
NetWare: Pre compiled binaries available.
mod_security: Has updated their rule set; see
http://blog.spiderlabs.com/2011/08/mitigation-of-apache-range-header-dos-attack.html
Actions:
========
Apache HTTPD users who are concerned about a DoS attack against their server
should consider implementing any of the above mitigations immediately.
When using a third party attack tool to verify vulnerability - know that most
of the versions in the wild currently check for the presence of mod_deflate;
and will (mis)report that your server is not vulnerable if this module is not
present. This vulnerability is not dependent on presence or absence of
that module.
Planning:
=========
This advisory will be updated when new information, a patch or a new release
is available. A patch or new apache release for Apache 2.0 and 2.2 is expected
in the next 48 hours. Note that, while popular, Apache 1.3 is deprecated.
|
|
|
| Back to top |
|
glsmith
Moderator
Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA
|
| Posted: Thu 25 Aug '11 6:32 Post subject: |
|
|
| James Blond wrote: | | That script sends only head requests. Maybe it helps to block those if you haven't already done. |
Till someone decides that since you are blocking HEAD requests they will just modify it to send GET requests?
I doubt there will be a new release in 48 hours, not if they are going to go through the 72 hour voting period. It's a high priority however, just last I saw they are still deciding just which route to take to deal with it.
mod_rangecnt for anyone that might want it:
Apache 2.2.x & 2.0.x mod_rangecnt modules Apache.org x86 (or any x86 VC6 build)
Edit: removed stale links and updated link to vc6 builds
Last edited by glsmith on Sat 25 Feb '12 14:03; edited 1 time in total |
|
| Back to top |
|
Steffen
Moderator
Joined: 15 Oct 2005
Posts: 3092
Location: Hilversum, NL, EU
|
|
| Back to top |
|
Steffen
Moderator
Joined: 15 Oct 2005
Posts: 3092
Location: Hilversum, NL, EU
|
| Posted: Fri 26 Aug '11 7:00 Post subject: |
|
|
ASF still discussing a fix.
The mod_security solution looks to me the best for now.
Steffen |
|
| Back to top |
|
|
|
|
|
|
