On Tue, Aug 23, 2011 at 8:09 AM, Willy Tarreau <w...@1wt.eu> wrote:
> On Mon, Aug 22, 2011 at 07:57:10PM +0200, Baptiste wrote:
>> Hi,
>>
>> Why not only dropping this "Range:bytes=0-" header?
>
> Agreed. Protecting against this vulnerability is not a matter of limiting
> connections or whatever. The attack makes mod_deflate exhaust the process'
> memory. What is needed is to remove the Range header when there are too
> many occurrences of it.
>
> Their attack puts up to 1300 Range values. Let's remove the header if
> there are more than 2 :
>
>    reqidel ^Range if { hdr_cnt(Range) gt 2 }
>
> That should reliably defeat the attack.
>
> Regards,
> Willy
>
>


Actually, this is slightly different.
According to the Perl script, a single Range header is sent, but it is
forge with a lot of range value.
IE: "Range: 0-,5-1,5-2,5-3,[...]"

Since there is no hdr_size ACLs for now, the only way is to use a
hdr_reg to do this:
reqidel ^Range if { hdr_reg(Range) ([0-9]+-[0-9]+,){10,} }

But the regexp above does not work (haproxy 1.5-dev6), the comma is
not matched....
don't know yet if it's an haproxy bug or not, I'll tell you once I
have finished investigating.

cheers

Reply via email to