Welcome! Log In Create A New Profile

Advanced

nginx and Apache killer

August 27, 2011 04:12AM
Following "Apache Killer" discussions and the advisory from 2011-08-24
(Advisory: Range header DoS vulnerability Apache HTTPD 2.x CVE-2011-3192)
we'd like to clarify a couple of things in regards to nginx behavior
either in standalone or "combo" (nginx+apache) modes.

First of all, nginx doesn't favor HEAD requests with compression,
so the exact mentioned attack doesn't work against a standalone
nginx installation.

If you're using nginx in combination with proxying to apache backend,
please check your configuration to see if nginx actually passes range
requests to the backend:

1) If you're using proxying WITH caching then range requests are not
sent to backend and your apache should be safe.

2) If you're NOT using caching then you might be vulnerable to the attack.

In order to mitigate this attack when your installation includes
apache behind nginx we recommend you the following:

1. Refer to the above mentioned security advisory CVE-2011-3192 for apache
and implement described measures accordingly.

2. Consider using nginx configuration below (in server{} section of
configuration). This particular example filters 5 and more ranges
in the request:

if ($http_range ~ "(?:\d*\s*-\s*\d*\s*,\s*){5,}") {
return 416;
}

We'd also like to notify you that for standalone nginx installations
we've produced the attached patch. This patch prevents handling
malicious range requests at all, instead outputting just the entire file
if the total size of all ranges is greater than the expected response.


--
Igor Sysoev
Index: src/http/modules/ngx_http_range_filter_module.c
===================================================================
--- src/http/modules/ngx_http_range_filter_module.c (revision 4034)
+++ src/http/modules/ngx_http_range_filter_module.c (working copy)
@@ -146,7 +146,6 @@
ngx_http_range_header_filter(ngx_http_request_t *r)
{
time_t if_range;
- ngx_int_t rc;
ngx_http_range_filter_ctx_t *ctx;

if (r->http_version < NGX_HTTP_VERSION_10
@@ -192,10 +191,9 @@
return NGX_ERROR;
}

- rc = ngx_http_range_parse(r, ctx);
+ switch (ngx_http_range_parse(r, ctx)) {

- if (rc == NGX_OK) {
-
+ case NGX_OK:
ngx_http_set_ctx(r, ctx, ngx_http_range_body_filter_module);

r->headers_out.status = NGX_HTTP_PARTIAL_CONTENT;
@@ -206,15 +204,16 @@
}

return ngx_http_range_multipart_header(r, ctx);
- }

- if (rc == NGX_HTTP_RANGE_NOT_SATISFIABLE) {
+ case NGX_HTTP_RANGE_NOT_SATISFIABLE:
return ngx_http_range_not_satisfiable(r);
- }

- /* rc == NGX_ERROR */
+ case NGX_ERROR:
+ return NGX_ERROR;

- return rc;
+ default: /* NGX_DECLINED */
+ break;
+ }

next_filter:

@@ -235,11 +234,12 @@
ngx_http_range_parse(ngx_http_request_t *r, ngx_http_range_filter_ctx_t *ctx)
{
u_char *p;
- off_t start, end;
+ off_t start, end, size;
ngx_uint_t suffix;
ngx_http_range_t *range;

p = r->headers_in.range->value.data + 6;
+ size = 0;

for ( ;; ) {
start = 0;
@@ -277,9 +277,10 @@

range->start = start;
range->end = r->headers_out.content_length_n;
+ size += range->end - start;

if (*p++ != ',') {
- return NGX_OK;
+ break;
}

continue;
@@ -331,10 +332,18 @@
range->end = end + 1;
}

+ size += range->end - start;
+
if (*p++ != ',') {
- return NGX_OK;
+ break;
}
}
+
+ if (size > r->headers_out.content_length_n) {
+ return NGX_DECLINED;
+ }
+
+ return NGX_OK;
}


_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

nginx and Apache killer

Igor Sysoev August 27, 2011 04:12AM

Re: nginx and Apache killer

Juan Angulo Moreno August 27, 2011 10:06PM

Re: nginx and Apache killer

Maxim Dounin August 28, 2011 04:48AM

Re: nginx and Apache killer

Venky Shankar August 28, 2011 05:44AM

Re: nginx and Apache killer

Maxim Dounin August 28, 2011 10:26AM

Re: nginx and Apache killer

Venky Shankar August 28, 2011 12:50PM

Re: nginx and Apache killer

Maxim Dounin August 28, 2011 04:24PM

Re: nginx and Apache killer

Gena Makhomed August 28, 2011 10:20AM

Re: nginx and Apache killer

Maxim Dounin August 28, 2011 12:38PM

Re: nginx and Apache killer

Gena Makhomed August 28, 2011 04:40PM

Re: nginx and Apache killer

Maxim Dounin August 28, 2011 08:16PM

Re: nginx and Apache killer

Gena Makhomed August 29, 2011 02:32PM

Re: nginx and Apache killer

Igor Sysoev August 29, 2011 02:48PM

Re: nginx and Apache killer

Danran February 23, 2023 11:44AM

Re: nginx and Apache killer

Jim Ohlstein September 01, 2011 08:02AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 125
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready