How to mitigate from Apache Killer?

Apache is the most popular web server being used today. Apache Killer exploit which was released in August 2011, exploits a vulnerability in the Apache software by sending a crafted "Range" HTTP header. Apache Killer attack abuses the HTTP protocol by requesting URL content to be returned in a huge number of small chunks, which leads to hundreds of large memory fetches causing a server to run out of memory and crash. This vulnerability identified as CVE-2011-3192 was fixed in httpd-2.2.21.

Mitigating Apache from DDoS

According to DDoS mitigation vendor Arbor Networks, a DDoS bot called Armageddon integrated Apache Killer exploit. To prevent your Apache web server from being a DDoS target, you may wish to follow the following mitigation steps.

1. If you're running an Apache web server lower than 2.2.21, it is strongly advised that you upgrade it to the newest version or apply the patching options described in the reference section of this article.

** Even though you may be running httpd version lower than the 2.2.21, your installed httpd may already include the security updates from 2.2.21 as part of backporting practice by Red Hat. To see if your httpd includes the CVE-2011-3192 fix, please perform the following command.

# rpm -q httpd
httpd-2.2.15-29.el6.centos.x86_64
# rpm -q --changelog httpd |grep 'CVE-2011-3192'
- add security fix for CVE-2011-3192 (#733063, #736592)

If you wish to upgrade your Apache web server, and other Linux packages; please consult How to install RHEL EPEL repository.

If you don't see a fix applied to your installed Apache, you may want to configure your Apache to limit the range header to 5 (or any arbitrary number) as shown below:

   Option 1: (Apache 2.0 and 2.2)

          # Drop the Range header when more than 5 ranges.
          # CVE-2011-3192
          SetEnvIf Range (,.*?){5,} bad-range=1
          RequestHeader unset Range env=bad-range

          # optional logging.
          CustomLog logs/range-CVE-2011-3192.log common env=bad-range

   Option 2: (Also for Apache 1.3)

          # Reject request when more than 5 ranges in the Range: header.
          # CVE-2011-3192
          #
          RewriteEngine on
          RewriteCond %{HTTP:range} !(^bytes=[^,]+(,[^,]+){0,4}$|^$)
          RewriteRule .* - [F]

2. Increase the limit on a number of simultaneous requests by increasing the MaxClients directive. The default is 256. You may also increase the number of queues with the ListenBacklog directive, which is 511 by default.

3. Install mod_evasive, mod_dosevasive or mod_security Apache modules.

References

Share this post

Comments (0)

    No comment

Leave a comment

All comments are moderated. Spammy and bot submitted comments are deleted. Please submit the comments that are helpful to others, and we'll approve your comments. A comment that includes outbound link will only be approved if the content is relevant to the topic, and has some value to our readers.


Login To Post Comment