This might be what your thinking of. https://httpd.apache.org/security/CVE-2011-3192.txt
Description: ============ A denial of service vulnerability has been found in the way the multiple overlapping ranges are handled by the Apache HTTPD server prior to version 2.2.20: http://seclists.org/fulldisclosure/2011/Aug/175 An attack tool is circulating in the wild. Active use of this tool has been observed. The attack can be done remotely and with a modest number of requests can cause very significant memory and CPU usage on the server. Ian McWilliam ________________________________________ From: owner-t...@openbsd.org [owner-t...@openbsd.org] on behalf of Florian Obser [flor...@openbsd.org] Sent: Monday, 4 May 2015 4:34 AM To: tech@openbsd.org Cc: Sunil Nimmagadda Subject: Re: Byte range implementation for httpd(8) On Sun, May 03, 2015 at 08:14:25PM +0200, Sebastian Benoit wrote: > one question though: whats the reasoning behind MAX_RANGES 4? nginx seems to > have a default of "unlimited" (which i think questionable), but what is Wasn't there a cve about this last year or so? You can try to burn cpu and io on the server by requesting stupid ranges, like one byte at a time, backwards for the whole file or something... > reasonably seen on the internet? my best guess is one range, from some byte position to the end, when you resume a transfer. -- I'm not entirely sure you are real.