Apache Range Header DOS 攻擊讓主機資源輕易消秏待盡

這個攻擊是八月底的消息，它是一個apache的弱點，對 header 作攻擊，好像是它本就是一個正常的規則，

只是如果分好幾個片斷去 request 的話，就會讓apache 資源慢慢的被耗光，最後 crashed。

一般對 80 的請求為

telnet 10.10.10.135 80

GET / HTTP/1.1

Host: 10.10.10.135

<enter> 

結果

HTTP/1.1 200 OK
Date: Thu, 15 Sep 2011 10:12:02 GMT
Server: Apache
X-Powered-By: PHP/4.3.9
Content-Length: 3
Connection: close
Content-Type: text/html; charset=UTF-8

wowConnection closed by foreign host.

如果帶上 range

telnet 10.10.10.135 80

GET / HTTP/1.1

Host: 10.10.10.135
Range: bytes=1-1,1-2,1-3

<enter>

結果

HTTP/1.1 206 Partial Content
Date: Thu, 15 Sep 2011 10:13:38 GMT
Server: Apache
X-Powered-By: PHP/4.3.9
Content-Length: 309
Connection: close
Content-Type: multipart/byteranges; boundary=4acf8215ee4231b04

--4acf8215ee4231b04
Content-type: text/html; charset=UTF-8
Content-range: bytes 1-1/3

o
--4acf8215ee4231b04
Content-type: text/html; charset=UTF-8
Content-range: bytes 1-2/3

ow
--4acf8215ee4231b04
Content-type: text/html; charset=UTF-8
Content-range: bytes 1-2/3

ow
--4acf8215ee4231b04--
Connection closed by foreign host.

似乎真的就比沒有range時多了幾個request。

所以這樣子就可以單台主機弄掛一個apache server ??!!

我試了發現者提供的程式 killapache_pl.zip (918 Byte , 下載:2次) 測試，確實!!! 主機的負載慢慢的升高 (top)，要再試著ssh登入主機也不行

有幾個解決方案

1。設置 httpd.conf 加入

# 要有 mod_header
RequestHeader unset Range

RequestHeader unset Request-Range

      再用攻擊程式時它就說  " Host does not seem vulnerable"

      不過不知影響程度到如何 ??? 對於正常的瀏覽時 。

      可能影響到串流 server、或下載用的server

2。一樣在 httpd.conf加入

LimitRequestFieldSize 200

      不過可能影響到cookie，因為某些cookie要的大小可能大些

3。一樣是 httpd.conf

SetEnvIf Range (,.*?){5,} bad-range=1 RequestHeader unset Range env=bad-range

      讓apache偵測header多大時就自動忽略掉它，數值5就是要視情況調整

4。搭配mod_security 的設定 mod_security_apache_header.conf.txt.zip (583 Byte , 下載:0次)

5。最後方式就是update apache 到 2.2.21

      https://lwn.net/Articles/458901/

SECURITY: CVE-2011-3192 (cve.mitre.org)
       core: Further fixes to the handling of byte-range requests to use
       less memory, to avoid denial of service. This patch includes fixes
       to the patch introduced in release 2.2.20 for protocol compliance,
       as well as the MaxRanges directive.

參考
http://seclists.org/fulldisclosure/2011/Aug/175
https://www.infosecisland.com/blogview/16131-Mitigating-the-Apache-Range-Header-DoS-Vulnerability.html
http://hi.baidu.com/rayh4c/blog/item/d264df1b196610ceac6e7543.html
http://www.blogjava.net/stone2083/archive/2011/08/29/357475.html
http://software.solidot.org/article.pl?sid=11%2F09%2F15%2F0510229&from=rss