How to mitigate from Apache Killer?

Apache is the most popular web server being used today. Apache Killer exploit which was released in August 2011, exploits a vulnerability in the Apache software by sending a crafted "Range" HTTP header. Apache Killer attack abuses the HTTP protocol by requesting URL content to be returned in a huge number of small chunks, which leads to hundreds of large memory fetches causing a server to run out of memory and crash. This vulnerability identified as CVE-2011-3192 was fixed in httpd-2.2.21.

Mitigating Apache from DDoS

According to DDoS mitigation vendor Arbor Networks, a DDoS bot called Armageddon integrated Apache Killer exploit. To prevent your Apache web server from being a DDoS target, you may wish to follow the following mitigation steps.

1. If you're running Apache web server lower than 2.2.21, it is strongly advised that you upgrade it to the newest version or apply the patching options described in the reference section of this article.

** Even though you may be running httpd version lower than the 2.2.21, your installed httpd may already include the security updates from 2.2.21 as part of backporting practice by Red Hat. To see if your httpd includes the CVE-2011-3192 fix, please perform the following command.

# rpm -q httpd
# rpm -q --changelog httpd |grep 'CVE-2011-3192'
- add security fix for CVE-2011-3192 (#733063, #736592)

If you wish to upgrade your Apache webserver, and other Linux packages; please consult How to install RHEL EPEL repository.

If you don't see fix applied to your installed Apache, you may want to configure your Apache to limit range header to 5 (or any arbitrary number) as shown below:

   Option 1: (Apache 2.0 and 2.2)

          # Drop the Range header when more than 5 ranges.
          # CVE-2011-3192
          SetEnvIf Range (,.*?){5,} bad-range=1
          RequestHeader unset Range env=bad-range

          # optional logging.
          CustomLog logs/range-CVE-2011-3192.log common env=bad-range

   Option 2: (Also for Apache 1.3)

          # Reject request when more than 5 ranges in the Range: header.
          # CVE-2011-3192
          RewriteEngine on
          RewriteCond %{HTTP:range} !(^bytes=[^,]+(,[^,]+){0,4}$|^$)
          RewriteRule .* - [F]

2. Increase the limit on number of simultaneous requests by increasing MaxClients directive. The default is 256. You may also increase number of queue with ListenBacklog directive, which is 511 by default.

3. Install mod_evasive, mod_dosevasive or mod_security Apache modules.

Patching from Range header DoS vulnerability.


Add new comment

Filtered HTML

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.