Full Disclosure mailing list archives

Re: Apache Killer

From: Jari Fredriksson <jarif () iki fi>
Date: Wed, 24 Aug 2011 18:14:38 +0300


24.8.2011 12:36, Davide Guerri kirjoitti:

Hi Jari,
I have it working here on ubuntu 10.04.3 LTS.

Please be sure you've mod_rewrite enabled and that you've added the rewrite rules to the virtualhost you want to 
protect from the DoS.
Mod_rewrite rules can't be used system-wide (although it's possible for a virtualhost to inherit main any rules 
specified in the main apache configuration file).


Thanks, that worked! :)

To debug you can use the following directives

RewriteLog /var/log/apache2/rewrite.log
RewriteLogLevel 3


On matching log file should contain something like 

<server IP> - - [24/Aug/2011:11:09:58 +0200] [<client IP>/sid#7f0c9cb3f098][rid#7f0c9cb95d58/subreq] (1) pass through 
/index.html
<server IP> - - [24/Aug/2011:11:09:58 +0200] [<client IP>/sid#7f0c9cb3f098][rid#7f0c9cbac148/initial] (2) init 
rewrite engine with requested uri /
<server IP> - - [24/Aug/2011:11:09:58 +0200] [<client IP>/sid#7f0c9cb3f098][rid#7f0c9cbac148/initial] (3) applying 
pattern '.*' to uri '/'

Cheers,
 Davide.

On 24/ago/2011, at 11:02, Jari Fredriksson wrote:

24.8.2011 11:03, Davide Guerri kirjoitti:

While waiting for an official patch, how about the following workaround?

RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(HEAD|GET) [NC]
RewriteCond %{HTTP:Range} ([0-9]*-[0-9]*)(\s*,\s*[0-9]*-[0-9]*)+
RewriteRule .* - [F]



The workaround uses modrewrite to forbid get|head requests with multiple ranges in the Range HTTP header.
The second regex could be improved but it works for the exploit released so far...

Cheers,
Davide.


Did not help here. Debian Squeeze with its Apache.



-- 

He was part of my dream, of course -- but then I was part of his dream too.
                -- Lewis Carroll

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Re: Apache Killer, (continued)
- - - Re: Apache Killer root (Aug 24)
    - Re: Apache Killer Dan Kaminsky (Aug 24)
    - Re: Apache Killer root (Aug 25)
    - Re: Apache Killer -= Glowing Sex =- (Aug 23)
    - Re: Apache Killer Davide Guerri (Aug 24)
    - Re: Apache Killer -= Glowing Sex =- (Aug 24)
    - Re: Apache Killer Davide Guerri (Aug 24)
    - Re: Apache Killer Jan Gehring (Aug 24)
    - Re: Apache Killer Jari Fredriksson (Aug 24)
    - Re: Apache Killer Davide Guerri (Aug 24)
    - Re: Apache Killer Jari Fredriksson (Aug 24)
    - Re: Apache Killer ZOne (Aug 25)
    - Re: Apache Killer Marco Ermini (Aug 25)
    - Re: Apache Killer David (Aug 25)
  - Re: Apache Killer Carlos Alberto Lopez Perez (Aug 24)
    - Re: Apache Killer Douglas Huff (Aug 24)
    - Re: Apache Killer Douglas Huff (Aug 24)
    - Re: Apache Killer Davide Guerri (Aug 24)
    - Message not available
    - Re: Apache Killer -= Glowing Sex =- (Aug 24)
- Re: Apache Killer Jari Fredriksson (Aug 20)
  - Re: Apache Killer -= Glowing Sex =- (Aug 20)

(Thread continues...)