For those using Snort, a local snort rule to alert for incoming attacks might help while waiting for a patch.
example: alert tcp $EXTERNAL_NET any -> any 80 (msg:"INBOUND Apache Killer script: Local web server is under attack."; content:"Range:bytes=0-"; classtype: denial-of-service; threshold: type threshold, track by_src, count 5 , seconds 20; sid:3000005;) On Wed, Aug 24, 2011 at 4:03 AM, Davide Guerri <[email protected]>wrote: > While waiting for an official patch, how about the following workaround? > > > RewriteEngine On > > RewriteCond %{REQUEST_METHOD} ^(HEAD|GET) [NC] > > RewriteCond %{HTTP:Range} ([0-9]*-[0-9]*)(\s*,\s*[0-9]*-[0-9]*)+ > > RewriteRule .* - [F] > > > The workaround uses modrewrite to forbid get|head requests with multiple > ranges in the Range HTTP header. > The second regex could be improved but it works for the exploit released so > far... > > Cheers, > Davide. > > > On 24/ago/2011, at 08:01, -= Glowing Sex =- wrote: > > > This is handy to read for anyone who runs apache... its worth a look... > thx kcope ;> > > xd > > > > > > On 24 August 2011 13:26, HI-TECH . < > [email protected]> wrote: > > Hello list, > > oops looks like this bug has nothing to do with mod_deflate/mod_gzip, > > read on here where the apache team is resolving the issue: > > > > http://www.gossamer-threads.com/lists/apache/dev/401638 > > > > Cheers, > > > > Kingcope > > > > 2011/8/20 Moritz Naumann <[email protected]>: > > > On 20.08.2011 00:23 HI-TECH . wrote: > > >> (see attachment) > > >> /Kingcope > > > > > > Works (too) well here. Are there any workarounds other than rate > > > limiting or detecting + dropping the traffic IPS-wise? > > > > > > Moritz > > > > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
