Hello!

On Sun, Aug 28, 2011 at 09:42:23AM +0000, Venky Shankar wrote:

> >
> > First of all, nginx doesn't favor HEAD requests with compression,
> > so the exact mentioned attack doesn't work against a standalone
> > nginx installation.
> >
>
> Well, with apache; the problem is not really due to the compression module
> (you can disable compression and still get DoS'ed)
>
> It is with how it handles byte ranges (by ignoring overlapping ranges
> etc...)
>
> Currently with apache requests like
>
> Range: bytes=0-1,0-2,0-3...................... <nnn-nnn>
>
> OR
>
> Range: bytes=0-0, 1-1, 2-2.................<nnn-nnn>
>
> will not result in merging of the ranges and deliver data for each range.
> With huge number of those ranges there is a lot of memory consumed.

Not really. The problem in Apache is not "not merging", but O(N^2)
memory consumption while handling Range requests, where N - number
of ranges requested.

See here for more information:

http://permalink.gmane.org/gmane.comp.apache.devel/45196
http://permalink.gmane.org/gmane.comp.apache.devel/45290

With nginx you are safe: there is no O(N^2) memory consumption.
Additionally, it won't do any actual data processing with HEAD
requests as used in attacking script in question.

Maxim Dounin

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx