Re: [Full-disclosure] Apache Killer

Wed, 24 Aug 2011 08:15:39 -0700 

24.8.2011 12:36, Davide Guerri kirjoitti:
> Hi Jari,
> I have it working here on ubuntu 10.04.3 LTS.
> 
> Please be sure you've mod_rewrite enabled and that you've added the rewrite 
> rules to the virtualhost you want to protect from the DoS.
> Mod_rewrite rules can't be used system-wide (although it's possible for a 
> virtualhost to inherit main any rules specified in the main apache 
> configuration file).
> 

Thanks, that worked! :)


> To debug you can use the following directives
> 
>> RewriteLog /var/log/apache2/rewrite.log
>> RewriteLogLevel 3
> 
> On matching log file should contain something like 
> 
> <server IP> - - [24/Aug/2011:11:09:58 +0200] [<client 
> IP>/sid#7f0c9cb3f098][rid#7f0c9cb95d58/subreq] (1) pass through /index.html
> <server IP> - - [24/Aug/2011:11:09:58 +0200] [<client 
> IP>/sid#7f0c9cb3f098][rid#7f0c9cbac148/initial] (2) init rewrite engine with 
> requested uri /
> <server IP> - - [24/Aug/2011:11:09:58 +0200] [<client 
> IP>/sid#7f0c9cb3f098][rid#7f0c9cbac148/initial] (3) applying pattern '.*' to 
> uri '/'
> 
> Cheers,
>  Davide.
> 
> On 24/ago/2011, at 11:02, Jari Fredriksson wrote:
> 
>> 24.8.2011 11:03, Davide Guerri kirjoitti:
>>> While waiting for an official patch, how about the following workaround?
>>>
>>>> RewriteEngine On
>>>> RewriteCond %{REQUEST_METHOD} ^(HEAD|GET) [NC]
>>>> RewriteCond %{HTTP:Range} ([0-9]*-[0-9]*)(\s*,\s*[0-9]*-[0-9]*)+
>>>> RewriteRule .* - [F]
>>>
>>>
>>> The workaround uses modrewrite to forbid get|head requests with multiple 
>>> ranges in the Range HTTP header.
>>> The second regex could be improved but it works for the exploit released so 
>>> far...
>>>
>>> Cheers,
>>> Davide.
>>>
>>
>> Did not help here. Debian Squeeze with its Apache.
> 


-- 

He was part of my dream, of course -- but then I was part of his dream too.
                -- Lewis Carroll

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Reply via email to