[svlug] Heads up: Bad remote DoS for current Apache httpd

Rick Moen rick at linuxmafia.com
Thu Aug 25 01:24:37 PDT 2011


Quoting Jesse Monroy (jesse650 at gmail.com):

[...]
> This section of the protocol is supposed to be for "efficient
> recovery", and as stated for "partially failed transfer ... and ..
> recovery".
> 
> Further, they are misusing the spec by asking for 1 byte at a time ---
> in compressed mode!!
> (NOTE: PERL code states: "Accept-Encoding: gzip")
> 
> The server should reject this, but apparently an error in logic. It
> should be an easy fix, but the actual code may take a week to
> propagate.

I was actually about to say 'Because nobody would _ever_ abuse a
download protocol, right? <grin>', but you certainly have a point that
_particular_ uses of the Range header can no doubt be usefully
disallowed in the HTTPd. 

> There should be a switch in Apache to turn OFF partially recovery mode
> till the fix is in.

That is in fact one of the possible workarounds.  _However_, I do urge
caution and testing to ensure that you aren't breaking any particularly
intensive offerings of file transfers with renegotiation and on-the-fly
adjustment expected.  I haven't had time to look into particulars, but
it's obvious how that protocol mechanism would be useful for, for
example, some video streaming.

-- 
Cheers,        "You're not cleared for that information, Friend Citizen. 
Rick Moen      (Remember:  Rumors are treason, and make the Computer UnHappy.")
rick at linuxmafia.com                                       -- Paranoia
McQ!  (4x80)




More information about the svlug mailing list