On Wed, Aug 24, 2011 at 12:44 PM, Baptiste <bed...@gmail.com> wrote: > On Tue, Aug 23, 2011 at 8:09 AM, Willy Tarreau <w...@1wt.eu> wrote: >> On Mon, Aug 22, 2011 at 07:57:10PM +0200, Baptiste wrote: >>> Hi, >>> >>> Why not only dropping this "Range:bytes=0-" header? >> >> Agreed. Protecting against this vulnerability is not a matter of limiting >> connections or whatever. The attack makes mod_deflate exhaust the process' >> memory. What is needed is to remove the Range header when there are too >> many occurrences of it. >> >> Their attack puts up to 1300 Range values. Let's remove the header if >> there are more than 2 : >> >> reqidel ^Range if { hdr_cnt(Range) gt 2 } >> >> That should reliably defeat the attack. >> >> Regards, >> Willy >> >> > > > Actually, this is slightly different. > According to the Perl script, a single Range header is sent, but it is > forge with a lot of range value. > IE: "Range: 0-,5-1,5-2,5-3,[...]" > > Since there is no hdr_size ACLs for now, the only way is to use a > hdr_reg to do this: > reqidel ^Range if { hdr_reg(Range) ([0-9]+-[0-9]+,){10,} } > > But the regexp above does not work (haproxy 1.5-dev6), the comma is > not matched.... > don't know yet if it's an haproxy bug or not, I'll tell you once I > have finished investigating. > > cheers >
I confirm, this looks like a bug in HAProxy, maybe in the way HAProxy loads the regexp from the configuration file: Here is a req.txt file simulating the attack: HEAD / HTTP/1.1 Host: 10.0.3.20 Range: bytes=0-,5-0,5-1,5-2,5-3,5-4,5-5,5-6,5-7,5-8,5-9,5-10,5-11,5-12,5-13,5-14,5-15,5-16,5-17,5-18,5-19,5-20,5-21,5-22,5-23,5-24,5-25,5-26,5-27,5-28,5-29,5-30,5-31,5-32,5-33,5-34,5-35,5-36,5-37,5-38,5-39,5-40,5-41,5-42,5-43,5-44,5-45,5-46,5-47,5-48,5-49,5-50,5-51,5-52,5-53,5-54,5-55,5-56,5-57,5-58,5-59,5-60,5-61,5-62,5-63,5-64,5-65,5-66,5-67,5-68,5-69,5-70,5-71,5-72,5-73,5-74,5-75,5-76,5-77,5-78,5-79,5-80,5-81,5-82,5-83,5-84,5-85,5-86,5-87,5-88,5-89,5-90,5-91,5-92,5-93,5-94,5-95,5-96,5-97 Accept-Encoding: gzip Connection: close And a working regexp tested with egrep: egrep -v "([0-9]+-[0-9]+,){10,}" req.txt HEAD / HTTP/1.1 Host: 10.0.3.20 Accept-Encoding: gzip Connection: close The following regexp works in HAProxy: ([0-9]+-[0-9]+) The same with the coma does not work: ([0-9]+-[0-9]+,) This one works: ([0-9]+-[0-9]+?) And this one does not: ([0-9]+-[0-9]+?)\{10,\} Maybe I'm doing something wrong. If your need more details, please let me know. cheers