[svlug] Heads up: Bad remote DoS for current Apache httpd

Rick Moen rick at linuxmafia.com
Thu Aug 25 01:24:37 PDT 2011

Quoting Jesse Monroy (jesse650 at gmail.com):

> This section of the protocol is supposed to be for "efficient
> recovery", and as stated for "partially failed transfer ... and ..
> recovery".
> Further, they are misusing the spec by asking for 1 byte at a time ---
> in compressed mode!!
> (NOTE: PERL code states: "Accept-Encoding: gzip")
> The server should reject this, but apparently an error in logic. It
> should be an easy fix, but the actual code may take a week to
> propagate.

I was actually about to say 'Because nobody would _ever_ abuse a
download protocol, right? <grin>', but you certainly have a point that
_particular_ uses of the Range header can no doubt be usefully
disallowed in the HTTPd. 

> There should be a switch in Apache to turn OFF partially recovery mode
> till the fix is in.

That is in fact one of the possible workarounds.  _However_, I do urge
caution and testing to ensure that you aren't breaking any particularly
intensive offerings of file transfers with renegotiation and on-the-fly
adjustment expected.  I haven't had time to look into particulars, but
it's obvious how that protocol mechanism would be useful for, for
example, some video streaming.

Cheers,        "You're not cleared for that information, Friend Citizen. 
Rick Moen      (Remember:  Rumors are treason, and make the Computer UnHappy.")
rick at linuxmafia.com                                       -- Paranoia
McQ!  (4x80)

More information about the svlug mailing list