Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: mod_security rules for Apache Range Header DoS Attack |
|
| Author |
|
Steffen
Moderator
Joined: 15 Oct 2005
Posts: 3057
Location: Hilversum, NL, EU
|
 Posted: Thu 25 Aug '11 7:27 Post subject: mod_security rules for Apache Range Header DoS Attack |
 |
|
See also: http://www.apachelounge.com/viewtopic.php?p=18992
There was a posting to the Full Disclosure mail-list yesterday by @kingcope in which he provided a script called killapache.pl that will cause a severe denial of service condition on Apache web servers. I had a chance to test out the script and can confirm that it will lock up an Apache server rather quickly. This blog post will highlight how the attack works and also the new rules that were just added to the OWASP ModSecurity CRS to prevent it.
Read more.. http://blog.spiderlabs.com/2011/08/mitigation-of-apache-range-header-dos-attack.html
Steffen |
|
| Back to top |
|
Steffen
Moderator
Joined: 15 Oct 2005
Posts: 3057
Location: Hilversum, NL, EU
|
| Posted: Thu 25 Aug '11 14:03 Post subject: |
|
|
Looks fine, added the Range mod_security rules. Now catching quite some on the first rule below.
| Code: | #
# Range Header Checks
#
# 1. Range Header exists and begins with 0 - normal browsers don't do this.
# Automated programs and bots often do not obey the HTTP RFC
#
# -=[ Rule Logic ]=-
# This rule inspects the Range request header to see if it starts with 0.
#
# -=[ References ]=-
# http://www.bad-behavior.ioerror.us/documentation/how-it-works/
#
# 2. Per RFC 2616 -
# "If the last-byte-pos value is present, it MUST be greater than or equal to the first-byte-pos in that byte-range-spec,
# or the byte- range-spec is syntactically invalid."
# -=[ Rule Logic ]=-
# This rule compares the first and second byte ranges and flags when the first value is greater than the second.
#
# -=[ References ]=-
# http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html
# http://seclists.org/fulldisclosure/2011/Aug/175
#
# 3. Identifies an excessive number of byte range fields within one request
#
SecRule REQUEST_HEADERS:Range "@beginsWith bytes=0-" "phase:2,rev:'2.2.2',t:none,block,msg:'Range: field exists and begins with 0.',logdata:'%{matched_var}'severity:'5',id:'958291',tag:'RULE_MATURITY/5',tag:'RULE_ACCURACY/7',tag:'https://www.owasp.org/index.php/ModSecurity_CRS_RuleID-%{tx.id}',tag:'PROTOCOL_VIOLATION/INVALID_HREQ',tag:'http://www.bad-behavior.ioerror.us/documentation/how-it-works/',setvar:'tx.msg=%{rule.msg}',setvar:tx.id=%{rule.id},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}"
SecRule REQUEST_HEADERS:Range "(\d+)\-(\d+)\," "chain,capture,phase:2,rev:'2.2.2',t:none,block,msg:'Range: Invalid Last Byte Value.',logdata:'%{matched_var}'severity:'5',id:'958230',tag:'RULE_MATURITY/5',tag:'RULE_ACCURACY/7',tag:'https://www.owasp.org/index.php/ModSecurity_CRS_RuleID-%{tx.id}',tag:'PROTOCOL_VIOLATION/INVALID_HREQ',tag:'http://www.bad-behavior.ioerror.us/documentation/how-it-works/',setvar:'tx.msg=%{rule.msg}',setvar:tx.id=%{rule.id},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}"
SecRule TX:2 "!@gt %{tx.1}"
SecRule REQUEST_HEADERS:Range "^bytes=(\d+)?\-(\d+)?\,\s?(\d+)?\-(\d+)?\,\s?(\d+)?\-(\d+)?\,\s?(\d+)?\-(\d+)?\,\s?(\d+)?\-(\d+)?\," "phase:2,capture,rev:'2.2.1',t:none,block,msg:'Range: Too many fields',logdata:'%{matched_var}'severity:'5',id:'958231',tag:'RULE_MATURITY/5',tag:'RULE_ACCURACY/7',tag:'https://www.owasp.org/index.php/ModSecurity_CRS_RuleID-%{tx.id}',tag:'PROTOCOL_VIOLATION/INVALID_HREQ',tag:'http://www.bad-behavior.ioerror.us/documentation/how-it-works/',setvar:'tx.msg=%{rule.msg}',setvar:tx.id=%{rule.id},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}"
|
|
|
| Back to top |
|
maskego
Joined: 16 Apr 2010
Posts: 238
|
| Posted: Fri 26 Aug '11 5:04 Post subject: |
|
|
steffen:
Where to download the v2.2.2 rule sets?I can't find it.What is the full rule name?Is it a part of modsecurity v.2.2.1?
Or You can show the full content of this anti-DOS rule? |
|
| Back to top |
|
Steffen
Moderator
Joined: 15 Oct 2005
Posts: 3057
Location: Hilversum, NL, EU
|
|
| Back to top |
|
|
|
|
|
|
