Related Posts Plugin for WordPress, Blogger...

A few days ago a huge vulnerability found in the DOS version of Apache 1.3 and 2.x, leaving more than 50% of the Internet vulnerable to DOS attacks, the DoS attack is so potent that a computer can end all server. A new tool called Apachekiller activity has been observed in the wild.


According to Apache:

Apache HTTPD Security Advisor
==============================
Title: Range header Denial of the vulnerability of Apache HTTPD 1.3/2.x
CVE: CVE-2011-3192:
Date: 20110824 1600Z
Product: Apache HTTPD Web Server
Versions: Apache 1.3 all versions, all versions of Apache 2
Description:
============
A denial of service vulnerability has been found in the way that multiple
overlapping ranges are handled by the Apache server:
http://seclists.org/fulldisclosure/2011/Aug/175

A tool of attack is circulating in nature. The active use of this tool has
observed.
The attack can be done remotely and with a modest number of applications can
major cause of memory and CPU on the server.

The default installation of Apache HTTPD is vulnerable.
There is currently no version of the patch / new server which solves the
vulnerability. This notice will be updated when a long-term solution
available.

A complete solution is expected in the next 48 hours.



Apache murderer

Murderer of Apache is a DDoS tool / DOS written in Perl that sends HTTP GET requests with multiple byte ranges, these ranges of bytes in a wide variety of parts in the memory space when abused causes Apache to function properly.

There is currently no patch for Apache on this issue, however some have suggested apache mitigation advice immediately. Which is detailed below:

Mitigation:
============
However, there are several immediate options to mitigate this problem until
a complete solution is available:
1) Use SetEnvIf or mod_rewrite to detect a large number of ranges and then
either ignore the range: the header or reject the request.
Option 1: (Apache 2.0 and 2.2)
# Set the Range header, when more than 5 ranks.
# CVE-2011-3192
SetEnvIf (,.*?){ Range 5,} ill-range = 1
RequestHeader unset env = bad-range Range
# Optional registration.
Logs/range-CVE-2011-3192.log CustomLog common env = bad-range
Option 2: (Also for Apache 1.3)
# Reject the request when more than 5 ranks in the Cordillera: the header.
# CVE-2011-3192
#
RewriteEngine on
RewriteCond% {HTTP: range}! (^ 0.4 }$|^$) =[^,]+(,[^,]+){ Bytes
RewriteRule .* - [F]
The number 5 is arbitrary. Miscellaneous 10 should not be a problem and can be
required for sites that serve, for example, PDF files very high end eReaders
or use complex things as streaming video-based http.
2) Limit the size of the field of the request of a few hundred bytes. Note that while
Range header, this keeps the short-offending - it may break other headers;
like cookies or important areas of security.

LimitRequestFieldSize 200
Note that the attack was carried out in the field that is likely to have
to further limit this and / or impose other limits LimitRequestFields.
View: http://httpd.apache.org/docs/2.2/mod/core.html # LimitRequestFieldSize
3) Use mod_headers completely dis-allow the use of range headers:
Unset RequestHeader Range

Note that this may break some customers - such as those used for
e-readers and up / HTTP streaming video.
4) Implement a Range header module has a temporary interim measure:
http://people. apache.org / ~ Dirkx / mod_rangecnt.c
Precompiled binaries for some platforms are available at:
http://people.apache.org/ ~ Dirkx / BINARIES.txt
5) Apply any of the current patches under discussion - such as:

0 comments

Post a Comment