An exploit released on the Full Security mailinglist enables potential attackers to execute remote denial of service attacks against Apache web servers with ease.
Unlike distributed denial-of-service (DDoS) attacks that rely on sheer numbers to overload servers with requests, this attack exploits a vulnerability to achieve the same from a single computer.
Even worse, in some cases all the machines need to be rebooted in order for the servers to recover from such an attack, this possibly affecting other services as well.
The exploit is coded in Perl and is aptly named "Apache Killer." There is no official patch at the moment, but there are several proposed workarounds
One of them requires mod_rewrite and involves restricting GET and HEAD headers to only single-range requests. This shouldn't affect most applications in a negative way.
SetEnvIf or mod_rewrite can also be used to detect a large number of ranges and ignore the Range header or reject the request entirely.
Another option is to limit the request field to a few hundred bytes, although this might break some headers that require long strings such as those carrying cookies or security tokens.
The mod_headers module can be used to disallow the use of Range headers altogether, but it isn't applicable in all situations. Deploying a custom module that counts the Range header is also a solution.
"Apache HTTPD users who are concerned about a DoS attack against their server should consider implementing any of the above mitigations immediately,
" the Apache developers advise, promising to release of patch in 48 hours.
One particularity of the "Apache Killer" exploit is that it checks for the presence of mod_deflate, exiting if this isn't found. However, researchers have discovered that this is a quirk in this attack script only, the vulnerability being exploitable even if mod_deflate is not present.