In association with heise online

24 August 2011, 15:17

Tool causes Apache web server to freeze - Update

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Apache Feather A previously unknown flaw in the code for processing byte range headers allows version 2.2.x of the Apache Web Server to be crippled from a single PC. A suitable "Apache Killer" Perl script that impressively demonstrates the problem has already been published on the Full Disclosure mailing list.

The tool sends GET requests with multiple "byte ranges" that will claim large portions of the system's memory space. A "byte range" statement allows a browser to only load certain parts of a document, for example bytes 500 to 1000. This method is used by programs such as download clients to resume downloads that have been interrupted; it is designed to reduce bandwidth requirements. However, it appears that stating multiple unsorted components in the header can cause an Apache server to malfunction.

No official patch has been released, but a functional workaround is to use rewrite rules that only allow a single range request in GET and HEAD headers. This should not present a problem for most applications. To enable the rules, administrators must load the Apache Web Server's mod_rewrite module.

Another suggested workaround is to use the mod_header module with the RequestHeader unset Range configuration to completely delete any range requests that may be contained in a header. However, this approach is likely to cause more problems than restricting the number of ranges. Admins should use the tool to test the effectiveness of their measures before others do it for them.

Update: The Apache developers have now published an official advisory regarding the denial of service vulnerability (CVE-2011-3192), noting that active use of the Apache Killer tool has been observed. The advisory includes several workarounds to temporarily mitigate the issue until a full fix is made available.

Update 2: Apparently the Rewrite rules to which we linked do their job, but are not sufficient, as an attack could also use the RequestRange-Header. An extended ruleset might look like this:

RewriteEngine On
RewriteCond %{HTTP:Range} ([0-9]*-[0-9]*)(\s*,\s*[0-9]*-[0-9]*)+ [OR]
RewriteCond %{HTTP:Request-Range} ([0-9]*-[0-9]*)(\s*,\s*[0-9]*-[0-9]*)+
RewriteRule .* - [F]


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit