American Butifarra » Platform

Stop ‘Apache Killer’ in its tracks

Claude — Thu, 25 Aug 2011 03:47:44 +0000

As you may have heard, a new Apache attack tool was released on Friday. The tool, named Apache Killer, is able to create a denial-of-service attack by overloading the web server with partial requests for content. As the web server attempts to fulfill the requests it begins to run out of and memory and it crashes. The problem is exacerbated when larger files are requested (PDFs, zips, etc.) as the server must fulfill the entire request while it attempts to deliver just a portion of it.

Testing ‘Apache Killer’

I ran the tool to attack this server as well as my employer’s load balanced array of servers. It is clear that only those servers running an older version of Apache (i.e. 1.3) and those not protected by a firewall are at risk.

My underpowered virtual private server crashed just a few seconds after the attack began. The tool revealed that my employer’s web sites did not appear to be vulnerable.

Is there a solution?

While a solution from Apache.org has not been published, some of the contributors have identified the issue and are working on a patch. In the meantime, you can add the following rule to your virtual site definitions, if you own your sever, or .htaccess file if you’re in a shared-hosting environment.


RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(HEAD|GET) [NC]
RewriteCond %{HTTP:Range} ([0-9]*-[0-9]*)(\s*,\s*[0-9]*-[0-9]*)+
RewriteRule .* - [F]

The preceding rule blocks “get and head requests with multiple ranges in the Range HTTP header.”

After applying this rule, feel free to attempt to kill your server, it will not crash. You should inspect your traffic logs to verify the incoming traffic is denied access with an HTTP status of 403, or forbidden.

Dirk-Willem van Gulik from Apache published this workaround for versions 2.0 and 2.2:


# Drop the Range header when more than 5 ranges.
# CVE-2011-3192
SetEnvIf Range (,.*?){5,} bad-range=1
RequestHeader unset Range env=bad-range

# optional logging.
CustomLog logs/range-CVE-2011-3192.log common env=bad-range

ColdFusion 9: What’s Hot

Claude — Tue, 14 Jul 2009 23:27:15 +0000

I just read an article by Ben Forta on the new features of ColdFusion 9. Here is my initial take on them.

What I Like

I’m really excited about CF9′s support for Object Relational Modeling. I think thorough testing must take place to make sure it scales properly under load. I imagine it’s solid since it’s based on Hybernate, but I’ve seen a few promising ORM frameworks flame out before they had a chance to be adopted due to their inability to scale.
Access to server variables is also good. There is nothing worse than having to create service initializer hacks to pre-cache components in a clustered load balanced environment (think 4 physical boxes with 7 instances each) after server/instance restarts.
Multi-server admin tools. Enough said.
Although I prefer to code JavaScript applications separately from CFML, I am glad Ext-JS (3.0) continues to be the official JavaScript framework that ships with ColdFusion.

Not so Hot

I don’t think the new “local” scope adds any value. It seems we’re trying to hard to allow people to write inefficient code by being careless about scoping. Using “var” is fine with me as it is similar across multiple languages. “local” will just add another thing to remember when coding in CFML.

The Jury is Still Out

I’d like to get more testing done with the IDE, ColdFusion Builder, before making up my mind. I’ve been a fan of Aptana, the Eclipse-based IDE, for working with my favorite JavaScript frameworks, PHP and HTML/CSS. I hope the tool is both capable and fast, which has been tough to achieve with Flex Builder.

ColdFusion 9 and ColdFusion Builder Now Available on Labs

Introduction to Ext.Direct

Claude — Wed, 13 May 2009 14:09:52 +0000

Evan Trimboli of the Ext-JS team just published an article describing Ext.Direct, a remoting API that is part of Ext 3.0. The team has created a remoting specification that you can use to implement the server-side stack of your choice.

Details about server-specific implementations already being maintained can be found here.

Ext.Direct is a new package in Ext JS 3.0 that helps alleviate many of these issues by streamlining communication between your client and server. When using Ext.Direct, you can expect to write 30% less code by eliminating common boiler plate code.
The Ext.direct namespace introduces several new classes for a close integration with the server-side. New classes have also been added to the Ext.data namespace for working with Ext.data.Stores which are backed by data from an Ext.Direct method.
Ext.Direct uses a provider architecture, where one or more providers are used to transport data to and from the server. There are several providers that exist in the core at the moment, for example a JsonProvider for simple JSON operations and a PollingProvider for repeated requests. One of the most powerful providers is the RemotingProvider.

Read the rest here.

Ext-JS to Provide Free CDN Hosting for its Framework

Claude — Wed, 19 Nov 2008 04:32:28 +0000

This is great news for the Ext-JS community. Here is why you should take advantage of a content delivery network.

We are pleased to announce that Ext has partnered with CacheFly, a global content network, to provide free CDN hosting for the Ext JS framework. Cachefly’s globally distributed network and aggressive caching accelerate the delivery of web content like JavaScript and CSS, making for an even faster Ext experience.
The Ext CDN also provides the ability to create your own custom builds using Ext’s Build It! tool, and host them on the CDN. The custom builder implements features to intelligently cache your component selections, adapter, and Ext version to create a unique custom build. These custom builds are cached across sessions and used by anyone who makes the same selections as you have – allowing for caching of custom builds across applications to fully realize the benefits of the CDN.

WordPress for the iPhone

Claude — Thu, 24 Jul 2008 00:04:19 +0000

In case you haven’t heard, WordPress is now available for the iPhone and iPod Touch. Head over to the App Store to get your free copy.

“Where on Earth” Platform by Yahoo!

Claude — Wed, 14 May 2008 15:17:59 +0000

It is actually the newly released Yahoo! Internet Location Platform, which allows applications to share predefined location identifiers, known as WOEIDs.

You can use the platform to match a WOEID to a place on earth, find parent and child relationships to that location and neighboring areas.

The Yahoo! Internet Location Platform provides a resource for managing all geo-permanent named places on Earth. Our purpose in creating the Internet Location Platform is to provide the Yahoo! Geographic Developer Community with the vocabulary and grammar to describe the world’s geography in an unequivocal, permanent, and language-neutral manner.
The Internet Location Platform is designed to facilitate spatial interoperability and geographic discovery; users can traverse the spatial hierarchy, identify the geography relevant to their users and their business, and in turn, unambiguously geotag, geotarget, and geolocate data across the Web.

Where is ColdFusion Headed Under Adobe?

Claude — Mon, 12 Dec 2005 21:29:00 +0000

From the ColdFusion Developer Journal:

“Adobe has been very successful in selling into the enterprise. This can only help ColdFusion going forward,” says Dave Mendels, SVP of Adobe’s new Enterprise & Developer Solutions business unit (pictured), in this exclusive interview with ColdFusion Developer’s Journal. ‘Scorpio’ is still on course, Mendels confirms, and the ColdFusion product development team is already hard at work devising the best way to harness synergies between CF and Adobeâ€™s LiveCycle products.

Read this CFDJ article…