vADC Docs

Protecting against the range header denial-of-service in Apache HTTPD

by on ‎08-25-2011 12:00 AM - edited on ‎06-01-2015 10:26 AM by PaulWallace (849 Views)

If you're running Apache HTTPD, you might have seen the recent advisory (and update) which can cause "significant CPU and memory usage" by abusing the HTTP/1.1 Range header.

 

If you're using Stingray Application Firewall simply update your baseline rules and you will be immediately protected. Otherwise, you can use TrafficScript to block this attack:

 

# Updated: Remove (if present) an old name that Apache accepts, MSIE 3 vintage

http.removeHeader( "Request-Range" );

$r = http.getHeader( "Range" );


if( $r && string.count( $r, "," ) >= 5 ) {

   # Too many ranges, refuse the request

   http.sendResponse( "403 Forbidden", "text/plain", "Forbidden\n", "" );

}

 

This simply returns a 403 Forbidden response for any request asking for more than 5 ranges (at least 5 commas in the Range header). This is in line with the advisory's suggested mitigation: we don't block multiple ranges completely because they have legitimate uses, such as PDF readers that request parts of the document as you scroll through it, and the attack requires many more ranges to be effective.

Contributors