logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> News & Hangout View previous topic :: View next topic
Reply to topic   Topic: Warning Security issue :: DoS attack with range requests !
Author
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 3046
Location: Hilversum, NL, EU

PostPosted: Wed 24 Aug '11 15:44    Post subject: Warning Security issue :: DoS attack with range requests ! Reply with quote

A serious security issue popped up, see first: http://seclists.org/fulldisclosure/2011/Aug/175

ASF is quit busy to solve this issues, you can follow it at:

http://marc.info/?l=apache-httpd-dev&r=1&b=201108&w=2


Steffen
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7288
Location: Germany, Next to Hamburg

PostPosted: Wed 24 Aug '11 16:03    Post subject: Reply with quote

That script sends only head requests. Maybe it helps to block those if you haven't already done.
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 3046
Location: Hilversum, NL, EU

PostPosted: Wed 24 Aug '11 19:12    Post subject: Reply with quote

Updated 25 August 2011

Code:
          Apache HTTPD Security ADVISORY
          ==============================
                    UPDATE 2

Title:       Range header DoS vulnerability Apache HTTPD 1.3/2.x

CVE:         CVE-2011-3192
Last Change: 20110824 1800Z
Date:        20110824 1600Z
Product:     Apache HTTPD Web Server
Versions:    Apache 1.3 all versions, Apache 2 all versions

Description:
============

A denial of service vulnerability has been found in the way the multiple
overlapping ranges are handled by the Apache HTTPD server:

     http://seclists.org/fulldisclosure/2011/Aug/175

An attack tool is circulating in the wild. Active use of this tools has
been observed.

The attack can be done remotely and with a modest number of requests can
cause very significant memory and CPU usage on the server.

The default Apache HTTPD installation is vulnerable.

There is currently no patch/new version of Apache HTTPD which fixes this
vulnerability. This advisory will be updated when a long term fix
is available.

A full fix is expected in the next 48 hours.

Background and the 2007 report
==============================

There are two aspects to this vulnerability. One is new, is Apache specific; and
resolved with this server side fix. The other issue is fundamentally a protocol
design issue dating back to 2007 (http://seclists.org/bugtraq/2007/Jan/83). The
contemporary interpretation of the HTTP protocol (currently) requires a server to
return multiple (overlapping) ranges; in the order requested. This means that one
can request a very large range (e.g. from byte 0- to the end) 100's of times
in a single request. Being able to do so is an issue for (propably all) webservers
and currently subject of an IETF discussion to change the protocol:

   http://trac.tools.ietf.org/wg/httpbis/trac/ticket/311

Now this advisory is about how Apache its so called internal 'bucket brigades'
deal with serving such "valid" request which internally explode into 100's of
large fetches; and keeping those in memory in an inefficient way.

Mitigation:
============

There are several immediate options to mitigate this issue until a full fix
is available:

1) Use SetEnvIf or mod_rewrite to detect a large number of ranges and then
   either ignore the Range: header or reject the request.

   Option 1: (Apache 2.0.61+ and 2.2)

          # Drop the Range header when more than 5 ranges.
          # CVE-2011-3192
          SetEnvIf Range (,.*?){5,} bad-range=1
          RequestHeader unset Range env=bad-range

          # optional logging.
          CustomLog logs/range-CVE-2011-3192.log common env=bad-range

   Option 2: (Old 2.0 and 1.3)

          # Reject request when more than 5 ranges in the Range: header.
          # CVE-2011-3192
          #
          RewriteEngine on
          RewriteCond %{HTTP:range} !(^bytes=[^,]+(,[^,]+){0,4}$|^$)
          RewriteRule .* - [F]

   The number 5 is arbitrary. Several 10's should not be an issue and may be
   required for sites which for example serve PDFs to very high end eReaders
   or use things such complex http based video streaming.

2) Limit the size of the request field to a few hundred bytes. Note that while
   this keeps the offending Range header short - it may break other headers;
   such as sizeable cookies or security fields.

          LimitRequestFieldSize 200

   Note that as the attack evolves in the field you are likely to have
   to further limit this and/or impose other LimitRequestFields limits.

   See: http://httpd.apache.org/docs/2.2/mod/core.html#limitrequestfieldsize

3) Use mod_headers to completely dis-allow the use of Range headers:

          RequestHeader unset Range

   Note that this may break certain clients - such as those used for
   e-Readers and progressive/http-streaming video.

4) Deploy a Range header count module as a temporary stopgap measure:

     http://people.apache.org/~dirkx/mod_rangecnt.c

   Precompiled binaries for some platforms are available at:

   http://people.apache.org/~dirkx/BINARIES.txt

5) Apply any of the current patches under discussion - such as:

   http://mail-archives.apache.org/mod_mbox/httpd-dev/201108.mbox/%3cCAAPSnn2PO-d-C4nQt_TES2RRWiZr7urefhTKPWBC1b+K1Dqc7g@mail.gmail.com%3e

OS and Vendor specific information
==================================

Red Hat:    Option 1 cannot be used on Red Hat Enterprise Linux 4.
      https://bugzilla.redhat.com/show_bug.cgi?id=732928

NetWare:   Pre compiled binaries available.

mod_security:   Has updated their rule set; see
      http://blog.spiderlabs.com/2011/08/mitigation-of-apache-range-header-dos-attack.html

Actions:
========

Apache HTTPD users who are concerned about a DoS attack against their server
should consider implementing any of the above mitigations immediately.

When using a third party attack tool to verify vulnerability - know that most
of the versions in the wild currently check for the presence of mod_deflate;
and will (mis)report that your server is not vulnerable if this module is not
present. This vulnerability is not dependent on presence or absence of
that module.

Planning:
=========

This advisory will be updated when new information, a patch or a new release
is available. A patch or new apache release for Apache 2.0 and 2.2 is expected
in the next 48 hours. Note that, while popular, Apache 1.3 is deprecated.
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA

PostPosted: Thu 25 Aug '11 6:32    Post subject: Reply with quote

James Blond wrote:
That script sends only head requests. Maybe it helps to block those if you haven't already done.


Till someone decides that since you are blocking HEAD requests they will just modify it to send GET requests?

I doubt there will be a new release in 48 hours, not if they are going to go through the 72 hour voting period. It's a high priority however, just last I saw they are still deciding just which route to take to deal with it.

mod_rangecnt for anyone that might want it:

Apache 2.2.x & 2.0.x mod_rangecnt modules Apache.org x86 (or any x86 VC6 build)

Edit: removed stale links and updated link to vc6 builds


Last edited by glsmith on Sat 25 Feb '12 14:03; edited 1 time in total
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 3046
Location: Hilversum, NL, EU

PostPosted: Thu 25 Aug '11 7:20    Post subject: Reply with quote

Again mod_security is able to deal with this kind of attacks. Rules for the attack ar available:

http://www.apachelounge.com/viewtopic.php?p=19012


Steffen
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 3046
Location: Hilversum, NL, EU

PostPosted: Fri 26 Aug '11 7:00    Post subject: Reply with quote

ASF still discussing a fix.

The mod_security solution looks to me the best for now.

Steffen
Back to top


Reply to topic   Topic: Warning Security issue :: DoS attack with range requests ! View previous topic :: View next topic
Post new topic   Forum Index -> News & Hangout