14 messages in ru.sysoev.nginxRe: nginx and Apache killer| From | Sent On | Attachments |
|---|---|---|
| Igor Sysoev | Aug 27, 2011 1:10 am |  .ranges |
| Juan Angulo Moreno | Aug 27, 2011 7:03 pm | |
| Maxim Dounin | Aug 28, 2011 1:45 am | |
| Venky Shankar | Aug 28, 2011 2:41 am | |
| Gena Makhomed | Aug 28, 2011 7:18 am | |
| Maxim Dounin | Aug 28, 2011 7:24 am | |
| Maxim Dounin | Aug 28, 2011 9:35 am | |
| Venky Shankar | Aug 28, 2011 9:48 am | |
| Maxim Dounin | Aug 28, 2011 1:21 pm | |
| Gena Makhomed | Aug 28, 2011 1:38 pm | |
| Maxim Dounin | Aug 28, 2011 5:14 pm | |
| Gena Makhomed | Aug 29, 2011 11:30 am | |
| Igor Sysoev | Aug 29, 2011 11:45 am | |
| Jim Ohlstein | Sep 1, 2011 4:59 am |
| Subject: | Re: nginx and Apache killer | |
|---|---|---|
| From: | Gena Makhomed (gm...@csdoc.com) | |
| Date: | Aug 28, 2011 7:18:43 am | |
| List: | ru.sysoev.nginx | |
On 27.08.2011 11:11, Igor Sysoev wrote:
Following "Apache Killer" discussions and the advisory from 2011-08-24 (Advisory: Range header DoS vulnerability Apache HTTPD 2.x CVE-2011-3192) we'd like to clarify a couple of things in regards to nginx behavior either in standalone or "combo" (nginx+apache) modes.
CVE-2011-3192 updated 26 Aug 2011. UPDATE 2 version available from http://mail-archives.apache.org/mod_mbox/httpd-announce/201108.mbox/browser
In order to mitigate this attack when your installation includes apache behind nginx we recommend you the following:
1. Refer to the above mentioned security advisory CVE-2011-3192 for apache and implement described measures accordingly.
these workarounds are needed only if "naked" apache open to internet. if apache listen only at 127.0.0.1 and located behind nginx frontend, enough ipmlement protection only at nginx level.
2. Consider using nginx configuration below (in server{} section of configuration). This particular example filters 5 and more ranges in the request:
if ($http_range ~ "(?:\d*\s*-\s*\d*\s*,\s*){5,}") { return 416; }
this example allow 5 ranges in the request, and blocks with 416 return code only 6 and more ranges.
to protect apache it is necessary filter malicious range requests not only in "Range:" header, but also in "Request-Range:" header.
to emulate directive "max_ranges 5;" to allow max 5 ranges:
if ($http_range ~ "(?:\d*\s*-\s*\d*\s*,\s*){5,}") {return 416;} if ($http_request_range ~ "(?:\d*\s*-\s*\d*\s*,\s*){5,}") {return 416;}
to emulate directive "max_ranges 1;" to allow only one range:
if ($http_range ~ ",") {return 416;} if ($http_request_range ~ ",") {return 416;}
to completely remove these headers while proxying requests to apache:
proxy_set_header Range ""; proxy_set_header Request-Range "";
We'd also like to notify you that for standalone nginx installations we've produced the attached patch. This patch prevents handling malicious range requests at all, instead outputting just the entire file if the total size of all ranges is greater than the expected response.
this not protect nginx from "frequent nginx disk seek (D)Dos attack", and additional max_ranges checks/protections for nginx is required!!!
but workarounds
"if ($http_range ~ ..." "if ($http_request_range ~ ..."
can be implemented to protect apache and nginx itself from (D)Dos attacks only if nginx was configured and compiled with ngx_http_rewrite_module
if nginx was configured --without-http_rewrite_module workarounds in nginx config to protect nginx itself can not be implemented, and nginx will remain in vulnerable state to other type of DDoS - "frequent nginx disk seek (D)Dos attack" on huge static files.
-- Best regards, Gena
_______________________________________________ nginx mailing list ngi...@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx