집에서 아파치 섭을 테스트 하는 과정에서 아파치 구 버젼에 대한 Denial Of Service를 테스트 해보았는데.. 가상 섭이라 그런지 크게 장애가 발생하지는 않았다. 하지만 공격코드를 어떻게 조합하느냐에 따라 큰 장애를 만들 수 있으니 패치 하시길 바랍니다.
[출처]
http://marc.info/?l=apache-httpd-dev&m=131418828705324&w=2
List: apache-httpd-dev
Subject: Re: CVE-2011-3192: Range header DoS vulnerability in Apache 1.3 and Apache 2 (DRAFT-2)
From: Dirk-Willem van Gulik <dirkx () webweaving ! org>
Date: 2011-08-24 12:17:32
Message-ID: 5E9A092C-A449-4318-8A31-FA0481EB04B7 () webweaving ! org
[Download message RAW]
* Updated with Rudigers comments.
* Do we have consensus that the deflate stuff needs to go out - is not relevant ?
* More Comments please. Esp. on the quality and realisticness of the mitigtions.
Thanks,
Title: CVE-2011-3192: Range header DoS vulnerability in Apache 1.3 and Apache 2
Date: 20110824 1600Z
# Last Updated: 20110824 1600Z
Product: Apache Web Server
Versions: Apache 1.3 all versions, Apache 2 all versions
Description:
------------
A denial of service vulnerability has been found in the way the multiple overlapping \
ranges are handled by apache (
http://seclists.org/fulldisclosure/2011/Aug/175). It \
most commonly manifests itself when static content is made available with compression \
on the fly through mod_deflate - but other modules which buffer and/or generate \
content in-memory are likely to be affected as well.
This is a very common (the default right!?) configuration.
The attack can be done remotely and with a modest number of requests leads to very \
significant memory and CPU usage.
Active use of this tools has been observed in the wild.
There is currently no patch/new version of apache which fixes this vulnerability. \
This advisory will be updated when a long term fix is available. A fix is expected in \
the next 96 hours.
Mitigation:
------------
However are several immediate options to mitigate this issue until that time:
1) Use mod_headers to dis-allow the use of Range headers:
RequestHeader unset Range
Note that this may break certain clients - such as those used for
e-Readers and progressive/http-streaming video.
2) Use mod_rewrite to limit the number of ranges:
RewriteCond %{HTTP:range} ^bytes=[^,]+(,[^,]+){0,4}$
RewriteRule .* - [F]
3) Limit the size of the request field to a few hundred bytes. Note that while this
keeps the offending Range header short - it may break other headers; such as sizable
cookies or security fields.
LimitRequestFieldSize 200
Note that as the attack evolves in the field you are likely to have
to further limit this and/or impose other LimitRequestFields limits.
See:
http://httpd.apache.org/docs/2.2/mod/core.html#limitrequestfieldsize
3) Deploy a Range header count module as a temporary stopgap measure:
http://people.apache.org/~dirkx/mod_rangecnt.c
4) If your server (only) server static content then disable compression-on-the-fly \
by:
1) removing mod_deflate as a loaded module and/or by removing any
AddOutputFilterByType/SetOutputFilter DEFLATE entries.
2) Disable it with "BrowserMatch .* no-gzip"
See:
http://httpd.apache.org/docs/2.0/mod/mod_deflate.html
http://httpd.apache.org/docs/2.2/mod/mod_deflate.html
5) Apply any of the current patches under discussion - such as:
http://mail-archives.apache.org/mod_mbox/httpd-dev/201108.mbox/%3cCAAPSnn2PO-d-C4nQt_ \
TES2RRWiZr7urefhTKPWBC1b+K1Dqc7g@mail.gmail.com%3e
Actions:
--------
Apache HTTPD users are advised to investigate wether they are vulnerable (e.g. allow \
Range headers and use mod_deflate) and consider implementing any of the above \
mitigations.
Planning:
--------
This advisory will be updated when a fix/patch or new release is available. A patch \
or new apache release for Apache 2.0 and 2.2 is expected in the next 96 hours. Note \
that, while popular, Apache 1.3 is deprecated.
[주의] 본 자료는 연구용 및 학습 자료로 사용하길 바라며, 악의적인 사용시 사용자 본인에게 책임이 있음을 명시합니다.
