Re: Defending against the "Apache killer"

From: Baptiste <bedis9#gmail.com>
Date: Wed, 24 Aug 2011 13:02:18 +0200


On Wed, Aug 24, 2011 at 12:44 PM, Baptiste <bedis9#gmail.com> wrote:
> On Tue, Aug 23, 2011 at 8:09 AM, Willy Tarreau <w#1wt.eu> wrote:
>> On Mon, Aug 22, 2011 at 07:57:10PM +0200, Baptiste wrote:
>>> Hi,
>>>
>>> Why not only dropping this "Range:bytes=0-" header?
>>
>> Agreed. Protecting against this vulnerability is not a matter of limiting
>> connections or whatever. The attack makes mod_deflate exhaust the process'
>> memory. What is needed is to remove the Range header when there are too
>> many occurrences of it.
>>
>> Their attack puts up to 1300 Range values. Let's remove the header if
>> there are more than 2 :
>>
>>    reqidel ^Range if { hdr_cnt(Range) gt 2 }
>>
>> That should reliably defeat the attack.
>>
>> Regards,
>> Willy
>>
>>
>
>
> Actually, this is slightly different.
> According to the Perl script, a single Range header is sent, but it is
> forge with a lot of range value.
> IE: "Range: 0-,5-1,5-2,5-3,[...]"
>
> Since there is no hdr_size ACLs for now, the only way is to use a
> hdr_reg to do this:
> reqidel ^Range if { hdr_reg(Range) ([0-9]+-[0-9]+,){10,} }
>
> But the regexp above does not work (haproxy 1.5-dev6), the comma is
> not matched....
> don't know yet if it's an haproxy bug or not, I'll tell you once I
> have finished investigating.
>
> cheers
>

I confirm, this looks like a bug in HAProxy, maybe in the way HAProxy loads the regexp from the configuration file: Here is a req.txt file simulating the attack: HEAD / HTTP/1.1
Host: 10.0.3.20
Range: bytes=0-,5-0,5-1,5-2,5-3,5-4,5-5,5-6,5-7,5-8,5-9,5-10,5-11,5-12,5-13,5-14,5-15,5-16,5-17,5-18,5-19,5-20,5-21,5-22,5-23,5-24,5-25,5-26,5-27,5-28,5-29,5-30,5-31,5-32,5-33,5-34,5-35,5-36,5-37,5-38,5-39,5-40,5-41,5-42,5-43,5-44,5-45,5-46,5-47,5-48,5-49,5-50,5-51,5-52,5-53,5-54,5-55,5-56,5-57,5-58,5-59,5-60,5-61,5-62,5-63,5-64,5-65,5-66,5-67,5-68,5-69,5-70,5-71,5-72,5-73,5-74,5-75,5-76,5-77,5-78,5-79,5-80,5-81,5-82,5-83,5-84,5-85,5-86,5-87,5-88,5-89,5-90,5-91,5-92,5-93,5-94,5-95,5-96,5-97 Accept-Encoding: gzip
Connection: close

And a working regexp tested with egrep:
egrep -v "([0-9]+-[0-9]+,){10,}" req.txt HEAD / HTTP/1.1
Host: 10.0.3.20
Accept-Encoding: gzip
Connection: close

The following regexp works in HAProxy: ([0-9]+-[0-9]+) The same with the coma does not work: ([0-9]+-[0-9]+,) This one works: ([0-9]+-[0-9]+?)
And this one does not: ([0-9]+-[0-9]+?)\{10,\}

Maybe I'm doing something wrong.
If your need more details, please let me know.

cheers Received on 2011/08/24 13:02

This archive was generated by hypermail 2.2.0 : 2011/08/24 13:15 CEST