Difference between revisions of "WAF 343013"
m (Created page with "'''Rule ID''' 343013 '''Status''' Active rule currently published. '''Alert Message''' Atomicorp.com WAF Rules: Range: Too many fields, this may be a DOS attack. '''Desc...") |
Latest revision as of 15:43, 1 September 2011
Rule ID
343013
Status
Active rule currently published.
Alert Message
Atomicorp.com WAF Rules: Range: Too many fields, this may be a DOS attack.
Description
A vulnerability exists in Apache versions 1.3.x, 2.0.x through 2.0.64, and 2.2.x through 2.2.19 that permits remote denial of service attacks against the server, and permits possible DDoS attacks. An exploit for this vulnerability is available and is circulating in the wild.
The attack works via a Range header that expresses multiple overlapping ranges. This rule detects when more than 10 range fields are expressed in a request.
False Positives
A false positive can occur when an application legitimately sets a large number of range headers, such as sites that serve PDFs to very high end eReaders or sites that use complex http based video streaming.
It is not recommended that you globally disable this rule if you have a false positive unless you are running a version of apache that is not vulnerable to this type of Range attack.
Tuning Guidance
If you know that this behavior is acceptable for your application, you can disable this rule for a specific domain by following the Tuning the Atomicorp WAF Rules page for basic information. We recommend that you upgrade Apache if you are running a vulnerable version rather than disabling this rule.
Similar Rules
Knowledge Base Articles
None.
Outside References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3192
