Re: [mod-security-users] Mitigation of Apache Range Header DoS Attack
Brought to you by:
victorhora,
zimmerletw
From: Reindl H. <h.r...@th...> - 2011-08-24 19:30:04
|
nice - but are you guys really sure that REQUEST_HEADERS:Range "@beginsWith bytes=0-" is a protocol conform rule with do not block legal requests? http://labs.apache.org/webarch/http/draft-fielding-http/p5-range.html#byte.ranges The first 500 bytes (byte offsets 0-499, inclusive): bytes=0-499 The second 500 bytes (byte offsets 500-999, inclusive): bytes=500-999 The final 500 bytes (byte offsets 9500-9999, inclusive): bytes=-500 Or bytes=9500- The first and last bytes only (bytes 0 and 9999): bytes=0-0,-1 Several legal but not canonical specifications of the second 500 bytes (byte offsets 500-999, inclusive): bytes=500-600,601-999 bytes=500-700,601-999 Am 24.08.2011 16:54, schrieb Ryan Barnett: > FYI - http://blog.spiderlabs.com/2011/08/mitigation-of-apache-range-header-dos-attack.html > > If you are concerned about this attack, I suggest that you download the latest modsecurity_crs_20_protocol_violations.conf file from SVN as it has the new rules - > http://mod-security.svn.sourceforge.net/viewvc/mod-security/crs/trunk/base_rules/modsecurity_crs_20_protocol_violations.conf > > -- > Ryan Barnett > Senior Security Researcher > Trustwave - SpiderLabs > > > ________________________________ > This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. > > > ------------------------------------------------------------------------------ > EMC VNX: the world's simplest storage, starting under $10K > The only unified storage solution that offers unified management > Up to 160% more powerful than alternatives and 25% more efficient. > Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > ModSecurity Services from Trustwave's SpiderLabs: > https://www.trustwave.com/application-security.php > -- Mit besten Grüßen, Reindl Harald the lounge interactive design GmbH A-1060 Vienna, Hofmühlgasse 17 CTO / software-development / cms-solutions p: +43 (1) 595 3999 33, m: +43 (676) 40 221 40 icq: 154546673, http://www.thelounge.net/ http://www.thelounge.net/signature.asc.what.htm |