Comments on: Use mod_rewrite to protect from “Apache Killer”

By: anestisb

anestisb — Fri, 26 Aug 2011 10:50:20 +0000

You are right, coders should take into account the “Request-Range” too.

I have already sent a relevant email to the full-disclosure mailing list (credits to you of course):
http://seclists.org/fulldisclosure/2011/Aug/300

And Dirk-Willem has updated the previous advisory relatively:
http://seclists.org/fulldisclosure/2011/Aug/301

By: Gappy

Gappy — Fri, 26 Aug 2011 09:08:11 +0000

Yes, everyone should update their instructions for working around this issue to include the Request-Range header also, otherwise attempts at blocking the exploit will be insufficient?

By: anestisb

anestisb — Fri, 26 Aug 2011 08:52:34 +0000

To be honest i have never heard about the “Request-Range” field. I searched the apache source and find out this:
if (!(range = apr_table_get(r->headers_in, “Range”))) {
range = apr_table_get(r->headers_in, “Request-Range”);
}

I have edited the attack perl script using the “Request-Range” instead of the “Range”. Victim apache served the request with the same way resulting in DoS too. Although the same workaround with the mod_rewrite is effective against “Request-Range” too.

ps. I have updated the rules to be fully complete.

By: Gappy

Gappy — Fri, 26 Aug 2011 08:00:03 +0000

What happens if you replace the “Range” header in the attack code with “Request-Range” – does that also need to be blocked?