Full Disclosure mailing list archives
Re: Apache Killer
From: Jari Fredriksson <jarif () iki fi>
Date: Wed, 24 Aug 2011 18:14:38 +0300
24.8.2011 12:36, Davide Guerri kirjoitti:
Hi Jari, I have it working here on ubuntu 10.04.3 LTS. Please be sure you've mod_rewrite enabled and that you've added the rewrite rules to the virtualhost you want to protect from the DoS. Mod_rewrite rules can't be used system-wide (although it's possible for a virtualhost to inherit main any rules specified in the main apache configuration file).
Thanks, that worked! :)
To debug you can use the following directivesRewriteLog /var/log/apache2/rewrite.log RewriteLogLevel 3On matching log file should contain something like <server IP> - - [24/Aug/2011:11:09:58 +0200] [<client IP>/sid#7f0c9cb3f098][rid#7f0c9cb95d58/subreq] (1) pass through /index.html <server IP> - - [24/Aug/2011:11:09:58 +0200] [<client IP>/sid#7f0c9cb3f098][rid#7f0c9cbac148/initial] (2) init rewrite engine with requested uri / <server IP> - - [24/Aug/2011:11:09:58 +0200] [<client IP>/sid#7f0c9cb3f098][rid#7f0c9cbac148/initial] (3) applying pattern '.*' to uri '/' Cheers, Davide. On 24/ago/2011, at 11:02, Jari Fredriksson wrote:24.8.2011 11:03, Davide Guerri kirjoitti:While waiting for an official patch, how about the following workaround?RewriteEngine On RewriteCond %{REQUEST_METHOD} ^(HEAD|GET) [NC] RewriteCond %{HTTP:Range} ([0-9]*-[0-9]*)(\s*,\s*[0-9]*-[0-9]*)+ RewriteRule .* - [F]The workaround uses modrewrite to forbid get|head requests with multiple ranges in the Range HTTP header. The second regex could be improved but it works for the exploit released so far... Cheers, Davide.Did not help here. Debian Squeeze with its Apache.
-- He was part of my dream, of course -- but then I was part of his dream too. -- Lewis Carroll
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Apache Killer, (continued)
- Re: Apache Killer root (Aug 24)
- Re: Apache Killer Dan Kaminsky (Aug 24)
- Re: Apache Killer root (Aug 25)
- Re: Apache Killer -= Glowing Sex =- (Aug 23)
- Re: Apache Killer Davide Guerri (Aug 24)
- Re: Apache Killer -= Glowing Sex =- (Aug 24)
- Re: Apache Killer Davide Guerri (Aug 24)
- Re: Apache Killer Jan Gehring (Aug 24)
- Re: Apache Killer Jari Fredriksson (Aug 24)
- Re: Apache Killer Davide Guerri (Aug 24)
- Re: Apache Killer Jari Fredriksson (Aug 24)
- Re: Apache Killer ZOne (Aug 25)
- Re: Apache Killer Marco Ermini (Aug 25)
- Re: Apache Killer David (Aug 25)
- Re: Apache Killer Douglas Huff (Aug 24)
- Re: Apache Killer Douglas Huff (Aug 24)
- Re: Apache Killer Davide Guerri (Aug 24)
- Message not available
- Re: Apache Killer -= Glowing Sex =- (Aug 24)
- Re: Apache Killer -= Glowing Sex =- (Aug 20)