Full Disclosure mailing list archives
Re: Apache Killer
From: ZOne <zone2kz () gmail com>
Date: Wed, 24 Aug 2011 10:23:40 -0400
For those using Snort, a local snort rule to alert for incoming attacks might help while waiting for a patch. example: alert tcp $EXTERNAL_NET any -> any 80 (msg:"INBOUND Apache Killer script: Local web server is under attack."; content:"Range:bytes=0-"; classtype: denial-of-service; threshold: type threshold, track by_src, count 5 , seconds 20; sid:3000005;) On Wed, Aug 24, 2011 at 4:03 AM, Davide Guerri <davide.guerri () gmail com>wrote:
While waiting for an official patch, how about the following workaround?RewriteEngine On RewriteCond %{REQUEST_METHOD} ^(HEAD|GET) [NC] RewriteCond %{HTTP:Range} ([0-9]*-[0-9]*)(\s*,\s*[0-9]*-[0-9]*)+ RewriteRule .* - [F]The workaround uses modrewrite to forbid get|head requests with multiple ranges in the Range HTTP header. The second regex could be improved but it works for the exploit released so far... Cheers, Davide. On 24/ago/2011, at 08:01, -= Glowing Sex =- wrote:This is handy to read for anyone who runs apache... its worth a look...thx kcope ;>xd On 24 August 2011 13:26, HI-TECH . <isowarez.isowarez.isowarez () googlemail com> wrote:Hello list, oops looks like this bug has nothing to do with mod_deflate/mod_gzip, read on here where the apache team is resolving the issue: http://www.gossamer-threads.com/lists/apache/dev/401638 Cheers, Kingcope 2011/8/20 Moritz Naumann <security () moritz-naumann com>:On 20.08.2011 00:23 HI-TECH . wrote:(see attachment) /KingcopeWorks (too) well here. Are there any workarounds other than rate limiting or detecting + dropping the traffic IPS-wise? Moritz_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Apache Killer, (continued)
- Re: Apache Killer Dan Kaminsky (Aug 24)
- Re: Apache Killer root (Aug 25)
- Re: Apache Killer -= Glowing Sex =- (Aug 23)
- Re: Apache Killer Davide Guerri (Aug 24)
- Re: Apache Killer -= Glowing Sex =- (Aug 24)
- Re: Apache Killer Davide Guerri (Aug 24)
- Re: Apache Killer Jan Gehring (Aug 24)
- Re: Apache Killer Jari Fredriksson (Aug 24)
- Re: Apache Killer Davide Guerri (Aug 24)
- Re: Apache Killer Jari Fredriksson (Aug 24)
- Re: Apache Killer ZOne (Aug 25)
- Re: Apache Killer Marco Ermini (Aug 25)
- Re: Apache Killer David (Aug 25)
- Re: Apache Killer Douglas Huff (Aug 24)
- Re: Apache Killer Douglas Huff (Aug 24)
- Re: Apache Killer Davide Guerri (Aug 24)
- Message not available
- Re: Apache Killer -= Glowing Sex =- (Aug 24)
- Re: Apache Killer -= Glowing Sex =- (Aug 20)
- Re: Apache Killer Sheran Gunasekera (Aug 21)