Options
Apache Killer DDoS attack blocked by AX!!!
![[Deleted User]](https://wf.vanillicon.com/v2/f2e355de37eb46e422bc110a667bdfbb.svg)
Posted by ddesmidt
A recent Apache vulnerability has been found using the "HTTP Range" option.
www.hacklabs.com/home/2011/8/24/research...partial-content.html
This one can be easily prevented with your A10
Possible protection:
AX could simply drop all requests with a "Range header".
But the requests with a "Range header" are valid requests and can be used by thin clients with limited resources.
Recommended protection:
What we suggest is to track requests that come with a "Range header" asking for multiple blocks (5).
Note: Thin clients won't ask that so it's most likely someone who tries to do a DDoS of your service.
Now just in case these are valid clients' requests that try to save their bandwidth (I strongly doubt it, since Thin Clients ask for 1 range per request and not plenty), what AX does is simply strip off the header "range" so these end-users will still have access to the page but will receive the whole object instead of chunks of it as requests.
Enjoy!
A recent Apache vulnerability has been found using the "HTTP Range" option.
www.hacklabs.com/home/2011/8/24/research...partial-content.html
This one can be easily prevented with your A10
Possible protection:
AX could simply drop all requests with a "Range header".
But the requests with a "Range header" are valid requests and can be used by thin clients with limited resources.
Recommended protection:
What we suggest is to track requests that come with a "Range header" asking for multiple blocks (5).
Note: Thin clients won't ask that so it's most likely someone who tries to do a DDoS of your service.
Now just in case these are valid clients' requests that try to save their bandwidth (I strongly doubt it, since Thin Clients ask for 1 range per request and not plenty), what AX does is simply strip off the header "range" so these end-users will still have access to the page but will receive the whole object instead of chunks of it as requests.
| Code: |
when HTTP_REQUEST {
# Check if the request has an HTTP header Range
if { [HTTP::header exists "Range"] } {
# If there is an HTTP header Range, check if that's more than 5
if {[llength [split [HTTP::header "Range"] ","]] > 5 } {
# If that's the case, remove the header "Range" + log
HTTP::header remove Range
log "client [IP::client_addr] sent a Range request with more than 5 ranges - aFleX removed the range request"
}
}
} |
Enjoy!
0