nginx and Apache killer

Gena Makhomed gmm at csdoc.com
Sun Aug 28 14:19:25 UTC 2011


On 27.08.2011 11:11, Igor Sysoev wrote:

> Following "Apache Killer" discussions and the advisory from 2011-08-24
> (Advisory: Range header DoS vulnerability Apache HTTPD 2.x CVE-2011-3192)
> we'd like to clarify a couple of things in regards to nginx behavior
> either in standalone or "combo" (nginx+apache) modes.

CVE-2011-3192 updated 26 Aug 2011. UPDATE 2 version available from
http://mail-archives.apache.org/mod_mbox/httpd-announce/201108.mbox/browser

> In order to mitigate this attack when your installation includes
> apache behind nginx we recommend you the following:
>
> 1. Refer to the above mentioned security advisory CVE-2011-3192 for apache
> and implement described measures accordingly.

these workarounds are needed only if "naked" apache open to internet.
if apache listen only at 127.0.0.1 and located behind nginx frontend,
enough ipmlement protection only at nginx level.

> 2. Consider using nginx configuration below (in server{} section of
> configuration). This particular example filters 5 and more ranges
> in the request:
>
>    if ($http_range ~ "(?:\d*\s*-\s*\d*\s*,\s*){5,}") {
>        return 416;
>    }

this example allow 5 ranges in the request,
and blocks with 416 return code only 6 and more ranges.

to protect apache it is necessary filter malicious range requests
not only in "Range:" header, but also in "Request-Range:" header.

to emulate directive "max_ranges 5;" to allow max 5 ranges:

if ($http_range ~ "(?:\d*\s*-\s*\d*\s*,\s*){5,}") {return 416;}
if ($http_request_range ~ "(?:\d*\s*-\s*\d*\s*,\s*){5,}") {return 416;}

to emulate directive "max_ranges 1;" to allow only one range:

if ($http_range ~ ",") {return 416;}
if ($http_request_range ~ ",") {return 416;}

to completely remove these headers while proxying requests to apache:

proxy_set_header Range "";
proxy_set_header Request-Range "";

> We'd also like to notify you that for standalone nginx installations
> we've produced the attached patch. This patch prevents handling
> malicious range requests at all, instead outputting just the entire file
> if the total size of all ranges is greater than the expected response.

this not protect nginx from "frequent nginx disk seek (D)Dos attack",
and additional max_ranges checks/protections for nginx is required!!!

but workarounds

"if ($http_range ~ ..."
"if ($http_request_range ~ ..."

can be implemented to protect apache and nginx itself
from (D)Dos attacks only if nginx was configured
and compiled with ngx_http_rewrite_module

if nginx was configured --without-http_rewrite_module workarounds
in nginx config to protect nginx itself can not be implemented,
and nginx will remain in vulnerable state to other type of DDoS
- "frequent nginx disk seek (D)Dos attack" on huge static files.

-- 
Best regards,
  Gena



More information about the nginx mailing list