[svlug] Heads up: Bad remote DoS for current Apache httpd

Rick Moen rick at linuxmafia.com
Wed Aug 24 19:53:31 PDT 2011

http://seclists.org/fulldisclosure/2011/Aug/175 has details of a DoS 
against all current Apache httpd versions that permit remote exhaustion
of RAM and CPU.  A patch is expected within 48 hours.  Meanwhile,
the DoS can be averted with your choice of several configuration 
settings that prevent the remote Web client from requesting too many
overlapping byte ranges.


On Debian, I tightened down my own server by doing first:

#  a2enmod headers

And then adding the following to /etc/apache2/httpd.conf and then
restarting Apache:

# Drop the Range header when more than 5 ranges.
# CVE-2011-3192
SetEnvIf Range (,.*?){5,} bad-range=1
RequestHeader unset Range env=bad-range
# optional logging.
CustomLog /var/log/apache2/range-CVE-2011-3192.log common env=bad-range

More information about the svlug mailing list