Re: Apache Killer

[Davide Guerri <davide.guerri () gmail com>]

Hi Jari,
I have it working here on ubuntu 10.04.3 LTS.

Please be sure you've mod_rewrite enabled and that you've added the rewrite rules to the virtualhost you want to 
protect from the DoS.
Mod_rewrite rules can't be used system-wide (although it's possible for a virtualhost to inherit main any rules 
specified in the main apache configuration file).

To debug you can use the following directives

> RewriteLog /var/log/apache2/rewrite.log
> RewriteLogLevel 3

On matching log file should contain something like 

<server IP> - - [24/Aug/2011:11:09:58 +0200] [<client IP>/sid#7f0c9cb3f098][rid#7f0c9cb95d58/subreq] (1) pass through 
/index.html
<server IP> - - [24/Aug/2011:11:09:58 +0200] [<client IP>/sid#7f0c9cb3f098][rid#7f0c9cbac148/initial] (2) init rewrite 
engine with requested uri /
<server IP> - - [24/Aug/2011:11:09:58 +0200] [<client IP>/sid#7f0c9cb3f098][rid#7f0c9cbac148/initial] (3) applying 
pattern '.*' to uri '/'

Cheers,
 Davide.

On 24/ago/2011, at 11:02, Jari Fredriksson wrote:

> 24.8.2011 11:03, Davide Guerri kirjoitti:
> > While waiting for an official patch, how about the following workaround?
> >
> > > RewriteEngine On
> > > RewriteCond %{REQUEST_METHOD} ^(HEAD|GET) [NC]
> > > RewriteCond %{HTTP:Range} ([0-9]*-[0-9]*)(\s*,\s*[0-9]*-[0-9]*)+
> > > RewriteRule .* - [F]
> >
> >
> > The workaround uses modrewrite to forbid get|head requests with multiple ranges in the Range HTTP header.
> > The second regex could be improved but it works for the exploit released so far...
> >
> > Cheers,
> > Davide.
>
> Did not help here. Debian Squeeze with its Apache.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/