Thursday, August 25, 2011 - 00:20

Apache bug in range handling has potential to wreak havoc

Current versions of apache have a neat bug in their byte-range handling that has quite some potential to crash a site with minimal to no effort at all. Byte-ranges are a feature of HTTP 1.1. They are used to partially transfer documents. If multiple ranges are requested in a slightly untidy way apache gets out of step big time. A single remote connection with a lousy dsl line can wreak havoc to various degrees on your system. If you ever want to see your load hit the moon give it a try.

There's - as of now - no patch yet. But there're two workarounds.

The easy - more stable one - is to actually ignore range request. This is what I would suggest on a classic web server. I.e. one that's primarily dishing out web pages. You lose some features like resume and progressive downloading ( i.e. of streams ) but otherwise it should be safe.

To disable range requests completely you need to have mod headers activated ( a2enmod headers ) and add

RequestHeader unset Range

to either your httpd.conf ( globally ) or whatever configuration file you deem suitable.

The other option is to tinker with the attack by rewriting them. This has less impact on your features ( virtually none ) but does not eliminate the attack. It works more like a limiter since your server still appears to be vulnerable to the attack. So people will give it a shot. The impact however isn't even remotely comparable.

To use the rewrite option enable mod_rewrite ( a2enmod rewrite ) and add this to your host configuration

RewriteEngine On ( if not already in place )
RewriteCond %{REQUEST_METHOD} ^(HEAD|GET)  [NC]
RewriteCond %{HTTP:Range} ([0-9]*)(\s*,\s*[0-9]*-[0-9]*)+
RewriteRule .* - [F]

The rule does not forbid ranges but it forbids multiple requests. As a result the bug is no longer exploitable. Since your system still appears to be vulnerable it will not keep them at bay with trying.

The downside of this one is that global rewrite rules are a bit tricky to implement. If you have lots of virtual hosts this is going to be a pain in the ass. Since I don't expect this to remain unfixed you might want to pick the 1st option or you might be unpatching your vhosts right after you patched them.