Forum Discussion

Ido_Breger_3805's avatar
Historic F5 Account
Aug 31, 2011

Latest Apache range headers DOS vulnerability signature suggestion

Hi ,


You probably heard about this latest Apace DOS vulnerability.



Here is a suggestion to add 2 signatures that will block such attack (based on the assumption that no more than 5 range values)



1. headercontent:"Range"; nocase; pcre:"/(?:Request-)?Range:[\t ]*?bytes[\t ]*?=(?:[\t\d-]+?,){5}/Hi";


2. headercontent:"Range"; nocase; pcre:"/(?:Request-)?Range:[^\r\n]{256}/Hi";

2 Replies

  • This is another good F5 article on several options to prevent this attack using BIG-IP solutions





    So for more than 5 ranges requested, would I say the suggested (extracted from article) below is also fine, same as Option (1) from Ido except just need to change to {5} to {5,} ?


    >> headercontent:"Range"; nocase; pcre:"/Range:[\t ]*bytes=(([0-9\- ])+,){5,}/Hi";



    By the way, just curious why the need for Option (2) ?



    Pardon me as I am new to iRule syntax. Thanks in advance.
  • There is also a recent enhancement of Killer Apache @



    Difference Between Old and New Modified Exploit:



    < $p = “HEAD / HTTP/1.1rnHost: $ARGV[0]rnRange:bytes=0-$prnAccept-Encoding: gziprnConnection: closernrn”; — > $p = “HEAD “.($ARGV[2] ? $ARGV[2] : “/”).”HTTP/1.1rnHost: $ARGV[0]rnRange:bytes=0-$prnAccept-Encoding: gziprnConnection: closernrn”;