According to the firm, whilst basic functionality to detect the issue has existed for several years in both the Sourcefire IPS offering and the open source Snort software, the company's VRT – vulnerability research team – has developed a new rule that specifically detects the exploit and helps administrators identify the specific tool being used to attack them.
Sourcefire says that, by using large malformed HTTP headers, Apache Killer allows an attacker to use a single PC to stage a denial of service attack. This attack is easily detected by the Snort engine’s HTTP Inspect preprocessor, which has an option to block oversized HTTP headers.
Since many different attacks against many different types of web servers have used different types of large HTTP headers over the years, the functionality has been made available by Sourcefire in order to pro-actively detect new vulnerabilities, as was the case with the Apache Killer tool.
The new rule – GID 1, SID 19825 – for the Sourcefire IPS and Snort platforms looks for HTTP 'range' headers that are broken in the specific way necessary to trigger the vulnerability used by Apache Killer.
According to Matt Watchinski, VP of vulnerability research with Sourcefire, the development of the rule is a great example of the enormous amount of protocol intelligence and deep packet inspection capability in the Snort engine.
“By allowing customers to identify anomalous network traffic at a general level, the Snort engine provides detection ahead of the threat for a variety of new exploits. This flexibility gives network defenders the time they need to patch their networks, as well as protection in cases where a patch is not yet available, as with Apache Killer”, he said.