On Mon, Aug 22, 2011 at 07:57:10PM +0200, Baptiste wrote:
> Hi,
>
> Why not only dropping this "Range:bytes=0-" header?
Agreed. Protecting against this vulnerability is not a matter of limiting
connections or whatever. The attack makes mod_deflate exhaust the process'
memory. What is needed is to remove the Range header when there are too
many occurrences of it.
Their attack puts up to 1300 Range values. Let's remove the header if
there are more than 2 :
reqidel ^Range if { hdr_cnt(Range) gt 2 }
That should reliably defeat the attack.
Regards,
Willy
