Tim Gaudette (iamtjg)

When WebDAV Attacks!!!

It was a nice calm Thursday morning... or so we thought...

The Problem #

We came in to reports of the production Apache web server being 'slow.'

Sure enough the server was maxed out on total workers. But why?

We discovered continuous OPTIONS requests via Microsoft Office Discovery Protocol coming from a single person's computer. Upon interrogating speaking with the individual we found they were doing absolutely nothing.

Doing a deeper dive into the logs we discovered these types of requests were coming from many other computers as well.

Attempts #

Turned off mod_dav. We had been experimenting with stuff a while back but did not need it anymore.

Requests still kept coming.

Denied all requests coming from the Office Discovery Protocol user agent.

Requests still kept coming.

What is the Office Existence Discovery Protocol? #

Let's take a moment to learn a little bit about the Office Discovery Protocol.

When someone goes to download an Office document from a website in Internet Explorer it sends the URL for the document to the Office application rather than downloading it. The application then checks to see if the web server supports WebDAV. It is essentially checking to see if it is a SharePoint server can can utilize the collaborative features that would provide. There is nothing wrong with this. You would definitely want to take advantage of those features if available.

Now how this affects the specific problem at hand.

The Office Discovery Protocol expects WebDAV details as part of the response it receives to determine if the server supports it. Since mod_dav was turned off you would expect Office to stop making the requests when it did not get the information it needed. But it did not.

The server responds with a 200 OK status as the request is a valid HTTP OPTIONS request. The Office Discovery Protocol would continue to make requests so long as it received a 200 OK regardless of WebDAV support information.
Note: This will continuously happen while the Office application is open.

Solution #

Our solution was to rewrite all OPTIONS requests from the Office Discovery Protocol user agent to respond with a 405 Method Not Allowed status. After a few requests the client learns the server does not support WebDAV and stops making requests.

RewriteCond %{REQUEST_METHOD} ^OPTIONS
RewriteCond %{HTTP_USER_AGENT} ^Microsoft\ Office\ Protocol\ Discovery [OR]
RewriteCond %{HTTP_USER_AGENT} ^Microsoft\ Office\ Existence\ Discovery [OR]
RewriteCond %{HTTP_USER_AGENT} ^Microsoft\-WebDAV\-MiniRedir.*$
RewriteRule .* - [R=405,L]

Overtime clients in the environment learn and the requests diminish.

This poster had a similar situation however, they still had DAV enabled.

Other Options #

If you do not have any servers that support this feature you could completely disable Office Collaboration Features in the client configuration. Assuming you have control over how the clients are configured.

I believe you can also disable the feature in Internet Explorer that supports this.

When WebDAV RETURNS #

The cache that stores which servers are supported will get cleared at some point. If a large number of clients have their cache cleared at once you could see a flood of requests again.