Re: CVE-2011-3192 and Range requests

From: Baptiste <bedis9#gmail.com>
Date: Sat, 27 Aug 2011 08:17:39 +0200


Hi,

HAProxy is fine and can protect your Apache. Have a look at this page, you'll find some HAProxy configuration example: http://blog.exceliance.fr/2011/08/25/protect-apache-against-apache-killer-script/

Basically, removing the malformed Range header is easy to do. Usually, the same source IP address will also try to open a lot of connections. HAProxy can also help you to slowdown this kind of attack, since they are not legitimate traffic, you don't want them to hit too much you web servers.

Good luck.

On Sat, Aug 27, 2011 at 8:04 AM, Aristedes Maniatis <ari#ish.com.au> wrote:
> What is the vulnerability [1] of an Apache httpd server with haproxy in
> front of it?
>
> 1. haproxy is fine, httpd will still suffer from DoS attacks
> 2. haproxy may itself suffer DoS
> 3. haproxy is fine and will protect an httpd server from DoS
>
> Thanks for an excellent product.
>
> Ari
>
>
> [1] http://article.gmane.org/gmane.comp.apache.announce/59
>
>
> --
> -------------------------->
> Aristedes Maniatis
> ish
> http://www.ish.com.au
> Level 1, 30 Wilson Street Newtown 2042 Australia
> phone +61 2 9550 5001   fax +61 2 9550 4001
> GPG fingerprint CBFB 84B4 738D 4E87 5E5C  5EFA EF6A 7D2E 3E49 102A
>
>
Received on 2011/08/27 08:17

This archive was generated by hypermail 2.2.0 : 2011/08/27 08:30 CEST