What is Apache Liller?
Apache killer is a script which aims to exploit an Apache vulnerability.
Basically, it makes Apache to fill up the /tmp directory which makes the webserver unstable.
Who is concerned?
Anybody running a website on Apache.
The Apache announce
How can ALOHA Load-Balancer help you?
First, let’s have a look at the diagram below:
The ALOHA can clean up your Range headers as well as limiting rate of connection from malicious people and event emulate the success of the attack.
Protect against Range header
Basically, the attack consists on sending a lot of Range headers to the webserver.
So, if a « client » sends more than 10 Range headers, we can consider this as an attack and we can clean them up.
Just add the two lines below in your Layer 7 (HAProxy) backend configuration to protect your Apache web servers:
backend bk_http [...] # Detect an ApacheKiller-like Attack acl weirdrangehdr hdr_cnt(Range) gt 10 # Clean up the request reqidel ^Range if weirdrangehdr [...]
Protect against service abuser
Since this kind of attack is combined with a DOS, you can blacklist bad guys with the configuration below.
It will limit users to 10 connections over a 10s period, then hold the connection for 10s before answering a 503 HTTP response.
You should adjust the values below to your website traffic.
frontend ft_http [...] option http-server-close # Setup stick table stick-table type ip size 1k expire 30s store gpc0 # Configure the DoS src acl MARKED src_get_gpc0(ft_http) gt 0 # tarpit attackers if src_DoS use_backend bk_tarpit if MARKED # If not blocked, track the connection tcp-request connection track-sc1 src if ! MARKED default_backend bk_http [...] backend bk_http [...] # Table to track connection rate stick-table type ip size 1k expire 30s store conn_rate(5s) # Track request tcp-request content track-sc2 src # Mark as abuser if more than 10 connection acl ABUSER sc2_conn_rate gt 10 acl MARKED_AS_ABUSER sc1_inc_gpc0 # Block connection concidered as abuser tcp-request content reject if ABUSER MARKED_AS_ABUSER [...] # Slow down attackers backend bk_tarpit mode http # hold the connection for 10s before answering timeout tarpit 10s # Emulate a 503 error errorfile 500 /etc/errors/500_tarpit.txt # slowdown any request coming up to here reqitarpit .
Open a shell on your ALOHA Load-Balancer, then:
- create the directory /etc/errors/
- create the file 500_tarpit.txt with the content below.
HTTP/1.0 503 Service Unavailable Cache-Control: no-cache Connection: close Content-Type: text/html Content-Length: 310 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">; <html xmlns="http://www.w3.org/1999/xhtml">; <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Error</title> </head> <body><h1>Something went wrong</h1></body> </html>
Don’t forget to save your configuration with the command