hobbiton

supporting open source since 1997

Hash Algorithm Collision Fix using an Apache Module

2012-02-04

As promised here, I've put the Apache module that protects Java and PHP sites from Hash Algorithm Collision DOS attacks on GitHub.

The module can be used by sites who use an Apache reverse proxy in front of their Java (Tomcat, JBoss, ...) or PHP sites.

The module parses the HTTP GET or POST parameters, calculates their hashes for the backend platform en checks if the hash collisions or number of parameters don't exceed a configured maximum. It one of these settings are exceeded the HTTP request is discarded and never sent to the backend system.

Install

The module uses the GNU autotools installation method, you just have to tell it where your Apache server is installed. Your Apache server needs to support DSO modules.

./configure --with-apache=/path/to/apache/install
make
make install

The install action will place libmodhacf.so in the Apache server's modules directory and add a LoadModule directive in httpd.conf. You should see a line similar to the following in your httpd.conf:

LoadModule hacf_module        modules/libmodhacf.so

Usage

If you already use an Apache reverse proxy, just add the correct HacfLanguage directive to the relevant section of your httpd.conf.

The configuration for a Java site with URL http://server.example.com/app would be:

<location app="/app">
  HacfLanguage Java
  ProxyPass http://server.example.com/app
  ProxyPassReverse http://server.example.com/app
</location>

For a PHP5 site, use PHP as the value of the HacfLanguage setting.

The request filtering can be tuned using the parameters:

The default settings for these parameters can seem aggressive but the should be fine for most applications.

What's next ?

The code in GitHub has a pretty limited feature set because I set out to protect a specific customer's site, but there is a Version 1.0.0 Milestone release planned with support for APR 1 (Apache 2.2), PHP4 sites and Python (Plone and mod_python) sites.