According to the advisory, the Apache default installation is vulnerable to such attacks, which can be performed remotely. The developers say that this attack can cause a significant amount of CPU and memory usage in the server, with only a modest number of requests.
The DOS attack arises from the way multiple overlapping ranges are handled by the Apache HTTPD server. The tool known as ‘killapache’, surfaced in a full disclosure mailing list post last week, and active usage of the tool has been observed, warns the dev team.
Apache has promised to provide a full fix within 48 hours. In the meantime, Apache recommends several immediate steps to mitigate this issue. Options include the following:
- Use SetEnvIf or mod_rewrite to detect a large number of ranges; then either ignore the Range: header or reject the request.
- Limit the request field’s size to a few hundred bytes.
- Use mod_headers to completely disallow the use of Range headers.
- Deploying a Range header count module as a temporary stopgap measure.
- Apply patches available under discussion on this post in the Apache mailing list.
OS X users will have to wait until Apple releases a fix for the issue, since Apache comes pre-bundled with Mac OS X server. Complete details of the vulnerability and the proposed interim fixes can be found here.