lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <4E55155E.3050809@iki.fi>
Date: Wed, 24 Aug 2011 18:14:38 +0300
From: Jari Fredriksson <jarif@....fi>
To: Davide Guerri <davide.guerri@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Apache Killer


24.8.2011 12:36, Davide Guerri kirjoitti:
> Hi Jari,
> I have it working here on ubuntu 10.04.3 LTS.
> 
> Please be sure you've mod_rewrite enabled and that you've added the rewrite rules to the virtualhost you want to protect from the DoS.
> Mod_rewrite rules can't be used system-wide (although it's possible for a virtualhost to inherit main any rules specified in the main apache configuration file).
> 

Thanks, that worked! :)


> To debug you can use the following directives
> 
>> RewriteLog /var/log/apache2/rewrite.log
>> RewriteLogLevel 3
> 
> On matching log file should contain something like 
> 
> <server IP> - - [24/Aug/2011:11:09:58 +0200] [<client IP>/sid#7f0c9cb3f098][rid#7f0c9cb95d58/subreq] (1) pass through /index.html
> <server IP> - - [24/Aug/2011:11:09:58 +0200] [<client IP>/sid#7f0c9cb3f098][rid#7f0c9cbac148/initial] (2) init rewrite engine with requested uri /
> <server IP> - - [24/Aug/2011:11:09:58 +0200] [<client IP>/sid#7f0c9cb3f098][rid#7f0c9cbac148/initial] (3) applying pattern '.*' to uri '/'
> 
> Cheers,
>  Davide.
> 
> On 24/ago/2011, at 11:02, Jari Fredriksson wrote:
> 
>> 24.8.2011 11:03, Davide Guerri kirjoitti:
>>> While waiting for an official patch, how about the following workaround?
>>>
>>>> RewriteEngine On
>>>> RewriteCond %{REQUEST_METHOD} ^(HEAD|GET) [NC]
>>>> RewriteCond %{HTTP:Range} ([0-9]*-[0-9]*)(\s*,\s*[0-9]*-[0-9]*)+
>>>> RewriteRule .* - [F]
>>>
>>>
>>> The workaround uses modrewrite to forbid get|head requests with multiple ranges in the Range HTTP header.
>>> The second regex could be improved but it works for the exploit released so far...
>>>
>>> Cheers,
>>> Davide.
>>>
>>
>> Did not help here. Debian Squeeze with its Apache.
> 


-- 

He was part of my dream, of course -- but then I was part of his dream too.
		-- Lewis Carroll


Download attachment "signature.asc" of type "application/pgp-signature" (261 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ