dan
Verified User
I'm sure you've probably all heard by now about the Range header flaw that causes apache to eat up all system memory, swap, and start killing processes, essentially rendering the target system useless.
There's been many discussions about how to mitigate this attack (as it *is* being used!) until apache come out with a new version.
I've just tried installing one of the suggested mitigate techniques, which works a treat.
Basically, here's what you need to do;
by simply allowing this module to be enabled will prevent apache from responding to requests, and supplying a message in apache's error log with the following;
Since there is no official fix for this flaw yet (which has existed since at least apache 1.3 came to be), it's strongly suggested you install this module. Anyone using DA and have installed their LAMP stack with custombuild (which should be all of you!), this should work for you.
Dan
There's been many discussions about how to mitigate this attack (as it *is* being used!) until apache come out with a new version.
I've just tried installing one of the suggested mitigate techniques, which works a treat.
Basically, here's what you need to do;
Code:
mkdir mod_rangecnt
cd mod_rangecnt
wget http://people.apache.org/~dirkx/mod_rangecnt.c
apxs -c mod_rangecnt.c
apxs -i -a mod_rangecnt.la
apachectl restart
by simply allowing this module to be enabled will prevent apache from responding to requests, and supplying a message in apache's error log with the following;
Code:
[Sat Aug 27 03:43:45 2011] [warn] [client x.x.x.x] Rejected on a Range: header with more than 5 ranges (has 1301)
Since there is no official fix for this flaw yet (which has existed since at least apache 1.3 came to be), it's strongly suggested you install this module. Anyone using DA and have installed their LAMP stack with custombuild (which should be all of you!), this should work for you.
Dan