December 8, 2016

Range Header DoS Vulnerability Leaves 60% of All Websites Open to Attack

(LiveHacking.Com) – Over 60% of the world’s websites are run using the Apache web server and a recently found vulnerability in Apache has left these millions of web sites open to a denial of service attack.

According to the official Apache HTTPD security advisory, the problem revolves around how Apache handles byte range headers. The advisory links to a tool which is available called “killapache.pl” which effectively demonstrates the problem. Active use of this tool has been observed. The attack can be done remotely and with a modest number of requests can cause very significant memory and CPU usage on a server.

Mitigation

Apache HTTPD users who are concerned about a DoS attack against their server should consider implementing any of the following mitigations immediately.

1) Use SetEnvIf or mod_rewrite to detect a large number of ranges and then either ignore the Range: header or reject the request.

Option 1: (Apache 2.0 and 2.2)
# Drop the Range header when more than 5 ranges.
# CVE-2011-3192
SetEnvIf Range (,.*?){5,} bad-range=1
RequestHeader unset Range env=bad-range

# optional logging.
CustomLog logs/range-CVE-2011-3192.log common env=bad-range

Option 2: (Also for Apache 1.3)
# Reject request when more than 5 ranges in the Range: header.
# CVE-2011-3192
#
RewriteEngine on
RewriteCond %{HTTP:range} !(^bytes=[^,]+(,[^,]+){0,4}$|^$)
RewriteRule .* - [F]

The number 5 is arbitrary. Several 10’s should not be an issue and may be required for sites which for example serve PDFs to very high end eReaders or use things such complex http based video streaming.

2) Use mod_headers to completely dis-allow the use of Range headers:

RequestHeader unset Range

Note that this may break certain clients – such as those used for e-Readers and progressive/http-streaming video.

Patch
A patch or new apache release for Apache 2.0 and 2.2 is expected
in the next 48 hours. Although still popular, Apache 1.3 is deprecated and as such there will be no official patch.

Share and Enjoy:
  • Print
  • Digg
  • StumbleUpon
  • del.icio.us
  • Facebook
  • Yahoo! Buzz
  • Twitter
  • Google Bookmarks