by the way, you can find some HAProxy configuration to fight against
this attack on our blog:
http://blog.exceliance.fr/2011/08/25/protect-apache-against-apache-killer-script/
cheers
On Wed, Aug 24, 2011 at 1:44 PM, Cyril Bonté wrote:
> Hi all,
>
> On Wednesday 24 August 2011 13:02:18 Baptiste wrote:
> (...)
>> > Since there is no hdr_size ACLs for now, the only way is to use a
>> > hdr_reg to do this:
>> > reqidel ^Range if { hdr_reg(Range) ([0-9]+-[0-9]+,){10,} }
>> >
>> > B
Hi all,
On Wednesday 24 August 2011 13:02:18 Baptiste wrote:
(...)
> > Since there is no hdr_size ACLs for now, the only way is to use a
> > hdr_reg to do this:
> > reqidel ^Range if { hdr_reg(Range) ([0-9]+-[0-9]+,){10,} }
> >
> > But the regexp above does not work (haproxy 1.5-dev6), the comma
On Wed, Aug 24, 2011 at 12:44:45PM +0200, Baptiste wrote:
>
> [...]
> Actually, this is slightly different.
> According to the Perl script, a single Range header is sent, but it is
> forge with a lot of range value.
> IE: "Range: 0-,5-1,5-2,5-3,[...]"
>
> Since there is no hdr_size ACLs for now,
On Wed, Aug 24, 2011 at 12:44 PM, Baptiste wrote:
> On Tue, Aug 23, 2011 at 8:09 AM, Willy Tarreau wrote:
>> On Mon, Aug 22, 2011 at 07:57:10PM +0200, Baptiste wrote:
>>> Hi,
>>>
>>> Why not only dropping this "Range:bytes=0-" header?
>>
>> Agreed. Protecting against this vulnerability is not a m
On Tue, Aug 23, 2011 at 8:09 AM, Willy Tarreau wrote:
> On Mon, Aug 22, 2011 at 07:57:10PM +0200, Baptiste wrote:
>> Hi,
>>
>> Why not only dropping this "Range:bytes=0-" header?
>
> Agreed. Protecting against this vulnerability is not a matter of limiting
> connections or whatever. The attack mak
On Mon, Aug 22, 2011 at 07:57:10PM +0200, Baptiste wrote:
> Hi,
>
> Why not only dropping this "Range:bytes=0-" header?
Agreed. Protecting against this vulnerability is not a matter of limiting
connections or whatever. The attack makes mod_deflate exhaust the process'
memory. What is needed is to
On Mon, Aug 22, 2011 at 06:26:01PM +, Svancara, Randall wrote:
> This is nothing new as brute force DOS attacks have been around for a while.
> I am not sure this is an HA-Proxy feature or more of a MOD_SECURITY/iptables
> feature. Simple iptables rate limiting would be sufficient in thwart
This is nothing new as brute force DOS attacks have been around for a while. I
am not sure this is an HA-Proxy feature or more of a MOD_SECURITY/iptables
feature. Simple iptables rate limiting would be sufficient in thwarting this
attack. For example,
I am using this for SSH now, but very ap
Hi,
1. install nginx as frontend
2. install latest version of Apache as backend (afair 2.2.18 was not
vulnerable to such DoS already, and 2.2.19 should be ok too)
3. remove apache's mod_deflate
4. done
--
Cheers,
Kai
Hi,
Why not only dropping this "Range:bytes=0-" header?
cheers
2011/8/22 Levente Peres :
> Hello,
>
> There're a number of webserver-mace apps on the net, the newest that I heard
> of being the so called "Apache killer" script I saw a few days agon on Full
> disclosure... Here you can see a dem
11 matches
Mail list logo