WAF 343013

From Atomicorp Wiki
Jump to: navigation, search

Rule ID

343013

Status

Active rule currently published.

Alert Message

Atomicorp.com WAF Rules: Range: Too many fields, this may be a DOS attack.

Description

A vulnerability exists in Apache versions 1.3.x, 2.0.x through 2.0.64, and 2.2.x through 2.2.19 that permits remote denial of service attacks against the server, and permits possible DDoS attacks. An exploit for this vulnerability is available and is circulating in the wild.

The attack works via a Range header that expresses multiple overlapping ranges. This rule detects when more than 10 range fields are expressed in a request.

False Positives

A false positive can occur when an application legitimately sets a large number of range headers, such as sites that serve PDFs to very high end eReaders or sites that use complex http based video streaming.

It is not recommended that you globally disable this rule if you have a false positive unless you are running a version of apache that is not vulnerable to this type of Range attack.

Tuning Guidance

If you know that this behavior is acceptable for your application, you can disable this rule for a specific domain by following the Tuning the Atomicorp WAF Rules page for basic information. We recommend that you upgrade Apache if you are running a vulnerable version rather than disabling this rule.

Similar Rules

WAF_343012

Knowledge Base Articles

None.

Outside References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3192

http://www.securityfocus.com/bid/49303/info

http://www.apache.org/dist/httpd/Announcement2.2.html

Personal tools