A recent disclosure on seclists.org about a Denial of Service attack against Apache web servers has raised concerns about whether IIS web servers are affected. We will quickly talk about the issue and its impact on IIS web servers in this post.
HTTP requests give you the ability to send a request to a web server and elicit only a portion of the response by using the 'Range' header. For example, if you are requesting a text file, but only want the first 500 bytes, you would send the request with the following HTTP header: Range: 0-499 \r\n. This feature allows for multiple comma-separated ranges to be specified within the header, so I could get the same result as above by specifying Range: 0-199,200-499.
This feature can theoretically be abused by specifying several ranges that will cause server-side processing of the response to consume excessive resources. So if I sent Range: 0-,0-,0-,0-,0-,0- the server would produce a response by replicating the resource requested six times and consuming resources in the process of concatenating the response. So it is possible to send a malicious request and cause a Denial of Service on the server side.
Is IIS affected?
IIS 6 and above are NOT affected because IIS only allows up to 5 ranges within any HTTP request in the Range header. The resources consumed on the server side for such a request is not sufficient to cause a Denial of Service. IIS 5, however, does not have this limitation and is hence affected by such a vulnerability. IIS5 however is not supported by Microsoft anymore, and if you still have IIS 5 web servers deployed you should consider upgrading to the latest Windows Server version.