Apache Vulnerability – the “206 Partial Content” issue

This is notification for all Apache Web server users.

Recently there was Security Vulnerability Notice – Apache HTTP Server CVE-2011-3192 Denial Of Service Vulnerabilityhttp://www.securityfocus.com/bid/49303/info . This exploit affects all Apache 2.0 and Apache 1.3 installations and permits possible DDoS attacks.  There are several work-arounds available to help securing the affected  servers provided them bellow.

Apache Web server vulnerability Symptoms:

Whit the next line you can check that your Apache is affected.:

If you see message: 206 Partial Content – in output, then your Apache is vulnerable.

Here are several immediate options to mitigate this issue until a full fix is available:

1. Use SetEnvIf or mod_rewrite to detect a large number of ranges and then either ignore the Range: header or reject the request.

1.1 Apache 2.0 and 2.2

1.2 Also for Apache 1.3

The number 5 is arbitrary. Several 10’s should not be an issue and may be required for sites which for example serve PDFs to very high end eReaders or use things such complex http based video streaming.

2. Limit the size of the request field to a few hundred bytes. Note that while this keeps the offending Range header short – it may break other headers (such as sizeable cookies or security fields).

Note: that as the attack evolves in the field you are likely to have to further limit this and/or impose other LimitRequestFields limits.

For more information check: http://httpd.apache.org/docs/2.2/mod/core.html#limitrequestfieldsize

3. Use mod_headers to completely disallow the use of Range headers:

Note that this may break certain clients – such as those used for e-Readers and progressive/http-streaming video.

4. Deploy a Range header count module as a temporary stopgap measure:

Pre-compiled binaries for some platforms are available at:

 

Finally make sure you have your Apache web server updated from your OS vendor.

Tags

Filed Under: Articles

Anthony Gee About the Author: Anthony G. is an IT specialist with more than 9 years of solid working experience in the Web Hosting industry. Currently works as server support administrator, involved in consultative discussions about Web Hosting and server administration. One of the first writers in the Onlinehowto.net website, now writing for Free Tutorials community - he is publishing tutorials and articles for the wide public, as well as specific technical solutions.

Leave a Reply