This might be what your thinking of.
https://httpd.apache.org/security/CVE-2011-3192.txt
Description:
============
A denial of service vulnerability has been found in the way the multiple
overlapping ranges are handled by the Apache HTTPD server prior to version
2.2.20:
http://seclists.org/fulldisclosure/2011/Aug/175
An attack tool is circulating in the wild. Active use of this tool has
been observed.
The attack can be done remotely and with a modest number of requests can
cause very significant memory and CPU usage on the server.
Ian McWilliam
________________________________________
From: owner-t...@openbsd.org [owner-t...@openbsd.org] on behalf of Florian
Obser [flor...@openbsd.org]
Sent: Monday, 4 May 2015 4:34 AM
To: tech@openbsd.org
Cc: Sunil Nimmagadda
Subject: Re: Byte range implementation for httpd(8)
On Sun, May 03, 2015 at 08:14:25PM +0200, Sebastian Benoit wrote:
> one question though: whats the reasoning behind MAX_RANGES 4? nginx seems to
> have a default of "unlimited" (which i think questionable), but what is
Wasn't there a cve about this last year or so? You can try to burn cpu
and io on the server by requesting stupid ranges, like one byte at a
time, backwards for the whole file or something...
> reasonably seen on the internet?
my best guess is one range, from some byte position to the end, when
you resume a transfer.
--
I'm not entirely sure you are real.
