Re: Apache Killer - take 2?

[Anestis Bechtsoudis <bechtsoudis.a () gmail com>]

On 01/19/2012 09:59 PM, Damiano Bolzoni wrote:
> Hi all,
> today we saw a weird HTTP header in a request that came to a web server
> we are monitoring:
>
> HEAD /contact HTTP/1.1
> Content-Range: bytes 1-1024/-1
> User-Agent: Opera/9.80 (Windows NT 5.1; U; pl) Presto/2.5.22 Version/10.51
> Host: www.xyz.nl
> Accept: */*
>
>
> The offending IP is not in any blacklist, and the intent is kind of
> clear...the server is Apache, but I have no detailed information about
> the version/patching level. The server went ahead with a simple redirect
> to the default error page.
>
> Is this just a clumsy way to attempt an overflow of one of the range
> boundaries and replicate the infamous Apache Killer attack?
>
> cheers

Apache byte-range killer use many small byte-range chunks in a single
request. So no, your attached request is not related to such an attack.

At latest Apache stable release (2.2.21) -1 is not a valid
entity-length, resulting in a full size 200 response (and not a 206
partial content response) despite the requested range.

For better understanding take a look at modules/http/byterange_filter.c
at apache sources.

I attach a simple perl PoC to check your web servers in case you have to
deal with outdated versions.


Regards,
Anestis

-- 
Anestis Bechtsoudis

Network Operation Center,
Laboratory for Computing (LabCom),
Dept. of Computer Engineering & Informatics,
University of Patras, Greece

Attachment: byte_range_check.pl
Description:

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now! 
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------