lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 24 Aug 2011 11:36:12 +0200
From: Davide Guerri <davide.guerri@...il.com>
To: Jari Fredriksson <jarif@....fi>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Apache Killer

Hi Jari,
I have it working here on ubuntu 10.04.3 LTS.

Please be sure you've mod_rewrite enabled and that you've added the rewrite rules to the virtualhost you want to protect from the DoS.
Mod_rewrite rules can't be used system-wide (although it's possible for a virtualhost to inherit main any rules specified in the main apache configuration file).

To debug you can use the following directives

> RewriteLog /var/log/apache2/rewrite.log
> RewriteLogLevel 3

On matching log file should contain something like 

<server IP> - - [24/Aug/2011:11:09:58 +0200] [<client IP>/sid#7f0c9cb3f098][rid#7f0c9cb95d58/subreq] (1) pass through /index.html
<server IP> - - [24/Aug/2011:11:09:58 +0200] [<client IP>/sid#7f0c9cb3f098][rid#7f0c9cbac148/initial] (2) init rewrite engine with requested uri /
<server IP> - - [24/Aug/2011:11:09:58 +0200] [<client IP>/sid#7f0c9cb3f098][rid#7f0c9cbac148/initial] (3) applying pattern '.*' to uri '/'

Cheers,
 Davide.

On 24/ago/2011, at 11:02, Jari Fredriksson wrote:

> 24.8.2011 11:03, Davide Guerri kirjoitti:
>> While waiting for an official patch, how about the following workaround?
>> 
>>> RewriteEngine On
>>> RewriteCond %{REQUEST_METHOD} ^(HEAD|GET) [NC]
>>> RewriteCond %{HTTP:Range} ([0-9]*-[0-9]*)(\s*,\s*[0-9]*-[0-9]*)+
>>> RewriteRule .* - [F]
>> 
>> 
>> The workaround uses modrewrite to forbid get|head requests with multiple ranges in the Range HTTP header.
>> The second regex could be improved but it works for the exploit released so far...
>> 
>> Cheers,
>> Davide.
>> 
> 
> Did not help here. Debian Squeeze with its Apache.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ