Re: [Full-disclosure] Apache Killer

[Davide Guerri <davide.guerri@xxxxxxxxx>]

Hi Jari,
I have it working here on ubuntu 10.04.3 LTS.

Please be sure you've mod_rewrite enabled and that you've added the rewrite 
rules to the virtualhost you want to protect from the DoS.
Mod_rewrite rules can't be used system-wide (although it's possible for a 
virtualhost to inherit main any rules specified in the main apache 
configuration file).

To debug you can use the following directives

> RewriteLog /var/log/apache2/rewrite.log
> RewriteLogLevel 3

On matching log file should contain something like 

<server IP> - - [24/Aug/2011:11:09:58 +0200] [<client 
IP>/sid#7f0c9cb3f098][rid#7f0c9cb95d58/subreq] (1) pass through /index.html
<server IP> - - [24/Aug/2011:11:09:58 +0200] [<client 
IP>/sid#7f0c9cb3f098][rid#7f0c9cbac148/initial] (2) init rewrite engine with 
requested uri /
<server IP> - - [24/Aug/2011:11:09:58 +0200] [<client 
IP>/sid#7f0c9cb3f098][rid#7f0c9cbac148/initial] (3) applying pattern '.*' to 
uri '/'

Cheers,
 Davide.

On 24/ago/2011, at 11:02, Jari Fredriksson wrote:

> 24.8.2011 11:03, Davide Guerri kirjoitti:
>> While waiting for an official patch, how about the following workaround?
>> 
>>> RewriteEngine On
>>> RewriteCond %{REQUEST_METHOD} ^(HEAD|GET) [NC]
>>> RewriteCond %{HTTP:Range} ([0-9]*-[0-9]*)(\s*,\s*[0-9]*-[0-9]*)+
>>> RewriteRule .* - [F]
>> 
>> 
>> The workaround uses modrewrite to forbid get|head requests with multiple 
>> ranges in the Range HTTP header.
>> The second regex could be improved but it works for the exploit released so 
>> far...
>> 
>> Cheers,
>> Davide.
>> 
> 
> Did not help here. Debian Squeeze with its Apache.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/