Laws Hosting's Blog

Apache, the most common used web server software, has become the talking point.

It appears that a tool to DoS Apache is floating about. Developers of the Apache open-source project warned users of the Web server software last Wednesday that a denial-of-service (DoS) tool is circulating that exploits a bug in the program.

The Apache project said it would release a fix for Apache 2.0 and 2.2 in the next 48 hours. All versions in the 1.3 and 2.0 lines are said to be vulnerable to attack. The group no longer supports the older Apache 1.3. ‘The attack can be done remotely and with a modest number of requests can cause very significant memory and CPU usage on the server,’ Apache said in an advisory. The bug is not new. Michal Zalewski, a security engineer who works for Google, pointed out that he had brought up the DoS exploitability of Apache more than four-and-a-half years ago. In lieu of a fix, Apache offered steps administrators can take to defend their Web servers until a patch is available.

In the mean time:

Mitigation:
============

However there are several immediate options to mitigate this issue until
a full fix is available:

1) Use SetEnvIf or mod_rewrite to detect a large number of ranges and then
either ignore the Range: header or reject the request.

Option 1: (Apache 2.0 and 2.2)

# Drop the Range header when more than 5 ranges.  CVE-2011-3192
SetEnvIf Range (,.*?){5,} bad-range=1
RequestHeader unset Range env=bad-range

# optional logging.
CustomLog logs/range-CVE-2011-3192.log common env=bad-range
Option 2: (Also for Apache 1.3)

# Reject request when more than 5 ranges in the Range: header.
# CVE-2011-3192
#
RewriteEngine on
RewriteCond %{HTTP:range} !(^bytes=[^,]+(,[^,]+){0,4}$|^$)
RewriteRule .* – [F]

The number 5 is arbitrary. Several 10′s should not be an issue and may be
required for sites which for example serve PDFs to very high end eReaders
or use things such complex http based video streaming.

2) Limit the size of the request field to a few hundred bytes. Note that while
this keeps the offending Range header short – it may break other headers;
such as sizeable cookies or security fields.

LimitRequestFieldSize 200

Note that as the attack evolves in the field you are likely to have
to further limit this and/or impose other LimitRequestFields limits.

See: http://httpd.apache.org/docs/2.2/mod…questfieldsize

3) Use mod_headers to completely dis-allow the use of Range headers:

RequestHeader unset Range

Note that this may break certain clients – such as those used for
e-Readers and progressive/http-streaming video.

4) Deploy a Range header count module as a temporary stopgap measure:

http://people.apache.org/~dirkx/mod_rangecnt.c

Precompiled binaries for some platforms are available at:

http://people.apache.org/~dirkx/BINARIES.txt

5) Apply any of the current patches under discussion – such as:

http://mail-archives.apache.org/mod_…

There is a lot that goes into running a web hosting business.  The provider needs an internet connection, bandwidth and data facility to store the equipment that enables the service.  While numerous components are required, almost all of them revolve around the web server.

What is a Web Server?

There term web server actually describes to different elements.  One is the computer that stores the data for websites.  The other is a software application that runs on the computer and processes requests from web browsers and other client-side technologies.  Though often used interchangeably, these two components are quite different.  For this reason, one should always clarify the mentioning of a web server as it can refer to either a machine or an application.

The Web Server in Action

A web server application helps the actual hardware serve web pages upon the request of a browser such as Internet Explorer or Opera.  Because it deals primarily in HTTP (Hypertext Transfer Protocol) requests, this type of application if often referred to as an HTTP server.  After receiving a request, the server runs HTTP, which is a protocol for transferring data over the internet and enabling two computers to communicate with each other.  When using your web browser to access any given website, a request is transmitted to a web server on a remote computer.  The server application then processes the browser’s request and attempts to locate the requested web page.  If it is found, the server sends the page to your browser which then displays the appropriate content.

Commonly Used Web Servers

The Netcraft Web Server Usage Survey reports that the Apache HTTP server is the most the widely installed web server in the world, claiming that it has nearly 60% of the market share.  As an open-source application, Apache supports numerous open-source technologies such as the Linux operating system and MySQL database server.

Using a Web Server off the Web

While primarily intended for the web hosting arena, web server applications can also be used for other purposes as well.  For example, many techies have the Apache server installed on their Windows-based computers.  This is great for someone who scripts custom programs for their own servers.  Several developers find this method much easier than working on a remote server.   So, if you have a powerful computer with a need to create PHP scripts, a web server like Apache could work wonders on your system.