There are a number of ways to block attacks using the recent request range byte attack, best of all is upgrading or patching Apache to fix the issue.
Some versions are easier than others to confgure if you can not patch or upgrade.
In particular Apache 2.0.49 does not have some of the features required such as the option to use RequestHeader with an environment variable.
Below is the code I have used to block requests with more 10 or more byte ranges or using the HEAD method to request byte ranges (as that seems a little pointless).
It also logs all such requests to a specific log file.
SetEnvIf Range (^bytes) bad-range=1
SetEnvIf Request-Range (^bytes) bad-range=1
SetEnvIf Request_Method "GET" !bad-range
SetEnvIf Range (,.*?){9,} bad-range=1
SetEnvIf Request-Range (,.*?){9,} bad-range=1
CustomLog logs/range-CVE-2011-3192.log common env=bad-range
#Not available in Apache 2.0.49
#RequestHeader unset Range env=bad-range
#RequestHeader set Range "badrange" env=bad-range
RewriteEngine on
RewriteCond %{HTTP:range} !(^bytes=[^,]+(,[^,]+){0,9}$|^$)
RewriteRule .* - [F]
RewriteCond %{HTTP:request-range} !(^bytes=[^,]+(,[^,]+){0,9}$|^$)
RewriteRule .* - [F]
RewriteCond %{HTTP:range} (^bytes=)
RewriteCond %{REQUEST_METHOD} ^(HEAD)
RewriteRule .* - [F]
RewriteCond %{HTTP:request-range} (^bytes=)
RewriteCond %{REQUEST_METHOD} ^(HEAD)
RewriteRule .* - [F]
I've simply put this in httpd.conf using an include file before my NameVirtualHost options and then in each virtual host I've added
RewriteEngine On
RewriteOptions Inherit
Hope its of some use!
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment