Comments on: Use mod_rewrite to protect from “Apache Killer” http://bechtsoudis.com/2011/08/24/use-mod_rewrite-to-protect-from-apache-killer/#utm_source=rss&utm_medium=rss&utm_campaign=use-mod_rewrite-to-protect-from-apache-killer Driven by Passion for Challenges Thu, 10 Apr 2014 08:41:30 +0000 hourly 1 http://wordpress.org/?v=3.9.2 By: anestisb http://bechtsoudis.com/2011/08/24/use-mod_rewrite-to-protect-from-apache-killer/#comment-102 Fri, 26 Aug 2011 10:50:20 +0000 http://bechtsoudis.com/?p=544#comment-102 You are right, coders should take into account the “Request-Range” too.

I have already sent a relevant email to the full-disclosure mailing list (credits to you of course):
http://seclists.org/fulldisclosure/2011/Aug/300

And Dirk-Willem has updated the previous advisory relatively:
http://seclists.org/fulldisclosure/2011/Aug/301

]]>
By: Gappy http://bechtsoudis.com/2011/08/24/use-mod_rewrite-to-protect-from-apache-killer/#comment-101 Fri, 26 Aug 2011 09:08:11 +0000 http://bechtsoudis.com/?p=544#comment-101 Yes, everyone should update their instructions for working around this issue to include the Request-Range header also, otherwise attempts at blocking the exploit will be insufficient?

]]>
By: anestisb http://bechtsoudis.com/2011/08/24/use-mod_rewrite-to-protect-from-apache-killer/#comment-100 Fri, 26 Aug 2011 08:52:34 +0000 http://bechtsoudis.com/?p=544#comment-100 To be honest i have never heard about the “Request-Range” field. I searched the apache source and find out this:
if (!(range = apr_table_get(r->headers_in, “Range”))) {
range = apr_table_get(r->headers_in, “Request-Range”);
}

I have edited the attack perl script using the “Request-Range” instead of the “Range”. Victim apache served the request with the same way resulting in DoS too. Although the same workaround with the mod_rewrite is effective against “Request-Range” too.

ps. I have updated the rules to be fully complete.

]]>
By: Gappy http://bechtsoudis.com/2011/08/24/use-mod_rewrite-to-protect-from-apache-killer/#comment-99 Fri, 26 Aug 2011 08:00:03 +0000 http://bechtsoudis.com/?p=544#comment-99 What happens if you replace the “Range” header in the attack code with “Request-Range” – does that also need to be blocked?

]]>