Table of Contents

Apache - Prevent Apache Killer

TODO: Check and fix.

Apache Killer exploit which was released in August 2011, exploits a vulnerability in the Apache software by sending a crafted “Range” HTTP header. Apache Killer attack abuses the HTTP protocol by requesting URL content to be returned in a huge number of small chunks, which leads to hundreds of large memory fetches causing a server to run out of memory and crash. This vulnerability identified as CVE-2011-3192 was fixed in httpd-2.2.21.

Mitigating Apache from DDoS

According to DDoS mitigation vendor Arbor Networks, a DDoS bot called Armageddon integrated Apache Killer exploit. To prevent your Apache web server from being a DDoS target, you may wish to follow the following mitigation steps.

If you're running Apache web server lower than 2.2.21, it is strongly advised that you upgrade it to the newest version or apply the patching options described in the reference section of this article.

If you don't see fix applied to your installed Apache, you may want to configure your Apache to limit range header to 5 (or any arbitrary number) as shown below:

Option 1: (Apache 2.0 and 2.2)

# Drop the Range header when more than 5 ranges.
# CVE-2011-3192
SetEnvIf Range (,.*?){5,} bad-range=1
RequestHeader unset Range env=bad-range
 
# optional logging.
CustomLog logs/range-CVE-2011-3192.log common env=bad-range

Option 2: (Also for Apache 1.3)

# Reject request when more than 5 ranges in the Range: header.
# CVE-2011-3192
#
RewriteEngine on
RewriteCond %{HTTP:range} !(^bytes=[^,]+(,[^,]+){0,4}$|^$)
RewriteRule .* - [F]

2. Increase the limit on number of simultaneous requests by increasing MaxClients directive. The default is 256. You may also increase number of queue with ListenBacklog directive, which is 511 by default.

3. Install mod_evasive, mod_dosevasive or mod_security Apache modules.

References

http://www.webtrafficexchange.com/how-mitigate-apache-killer