Re: Defending against the "Apache killer"

On Wed, Aug 24, 2011 at 1:44 PM, Cyril Bonté <cyril.bonte#free.fr> wrote:
> Hi all,
>
> On Wednesday 24 August 2011 13:02:18 Baptiste wrote:
> (...)
>> > Since there is no hdr_size ACLs for now, the only way is to use a
>> > hdr_reg to do this:
>> > reqidel ^Range if { hdr_reg(Range) ([0-9]+-[0-9]+,){10,} }
>> >
>> > But the regexp above does not work (haproxy 1.5-dev6), the comma is
>> > not matched....
>> > don't know yet if it's an haproxy bug or not, I'll tell you once I
>> > have finished investigating.
>> >
>> > cheers
>>
>> I confirm, this looks like a bug in HAProxy, maybe in the way HAProxy
>> loads the regexp from the configuration file:
>
> This is not how HAProxy loads the regex but how it applies them to the
> headers.
> The comma character (,) is considered as a value separator. HAProxy will then
> try to apply the regex to each value found in the Range header.
> For this header :
> Range:
> bytes=0-,5-0,5-1,5-2,5-3,5-4,5-5,5-6,5-7,5-8,5-9,5-10,5-11,5-12,5-13,5-14,5-15,5-16,5-17,5-18,5-19,5-20,5-21,5-22,5-23,5-24,5-25,5-26,5-27,5-28,5-29,5-30,5-31,5-32,5-33,5-34,5-35,5-36,5-37,5-38,5-39,5-40,5-41,5-42,5-43,5-44,5-45,5-46,5-47,5-48,5-49,5-50,5-51,5-52,5-53,5-54,5-55,5-56,5-57,5-58,5-59,5-60,5-61,5-62,5-63,5-64,5-65,5-66,5-67,5-68,5-69,5-70,5-71,5-72,5-73,5-74,5-75,5-76,5-77,5-78,5-79,5-80,5-81,5-82,5-83,5-84,5-85,5-86,5-87,5-88,5-89,5-90,5-91,5-92,5-93,5-94,5-95,5-96,5-97
>
> It will check byte=0-
> then 5-0
> then 5-1
> then ...
>
>
> --
> Cyril Bonté
>

ahah :)
You're both all right.
Sorry, I totaly forgot this part of the RFC: "Multiple message-header fields with the same field-name MAY be present in a message if and only if the entire field-value for that header field is defined as a comma-separated list [i.e., #(values)]. It MUST be possible to combine the multiple header fields into one "field-name: field-value" pair, without changing the semantics of the message, by appending each subsequent field-value to the first, each separated by a comma. The order in which header fields with the same field-name are received is therefore significant to the interpretation of the combined field value, and thus a proxy MUST NOT change the order of these field values when a message is forwarded. "

So the hdr_cnt from willy works.
I did not try this option since this is not how the Perl script of the first mail build the attack.

sorry for the noise and glad to see tha HAProxy works well :) Received on 2011/08/24 14:17