Posted by ddesmidt A recent Apache vulnerability has been found using the “HTTP Range” option. www.hacklabs.com/home/2011/8/24/research…partial-content.html This one can be easily prevented with your A10 Possible protection: AX could simply drop all requests with a “Range header”. But the requests with a “Range header” are valid requests and can be used by thin clients with limited resources. Recommended protection: What we suggest is to track requests that come with a “Range header” asking for multiple blocks (5). Note: Thin clients won’t ask that so it’s most likely someone who tries to do a DDoS of your service. Now just in case these are valid clients’ requests that try to save their bandwidth (I strongly doubt it, since Thin Clients ask for 1 range per request and not plenty), what AX does is simply strip off the header “range” so these end-users will still have access to the page but will receive the whole object instead of chunks of it as requests.
| Code: |
|---|
— when HTTP_REQUEST { # Check if the request has an HTTP header Range if { [HTTP::header exists "Range"] } { # If there is an HTTP header Range, check if that's more than 5 if {[llength [split [HTTP::header "Range"] ","]] > 5 } { # If that's the case, remove the header "Range" + log HTTP::header remove Range log "client [IP::client_addr] sent a Range request with more than 5 ranges - aFleX removed the range request" } } }— |
Enjoy!