If you're running Apache HTTPD, you might have seen the recent advisory (and update) which can cause "significant CPU and memory usage" by abusing the HTTP/1.1 Range header.
If you're using Stingray Application Firewall simply update your baseline rules and you will be immediately protected. Otherwise, you can use TrafficScript to block this attack:
# Updated: Remove (if present) an old name that Apache accepts, MSIE 3 vintage
http.removeHeader( "Request-Range" );
$r = http.getHeader( "Range" );
if( $r && string.count( $r, "," ) >= 5 ) {
# Too many ranges, refuse the request
http.sendResponse( "403 Forbidden", "text/plain", "Forbidden\n", "" );
}
This simply returns a 403 Forbidden response for any request asking for more than 5 ranges (at least 5 commas in the Range header). This is in line with the advisory's suggested mitigation: we don't block multiple ranges completely because they have legitimate uses, such as PDF readers that request parts of the document as you scroll through it, and the attack requires many more ranges to be effective.
