diff --git a/server/index.js b/server/index.js
index 82f54d692d15..513a87e15a13 100644
--- a/server/index.js
+++ b/server/index.js
@@ -171,12 +171,20 @@ export default class Server {
         await renderScript(req, res, page, this.renderOpts)
       },
 
-      '/_next/:path?': async (req, res, params) => {
+      // It's very important keep this route's param optional.
+      // (but it should support as many as params, seperated by '/')
+      // Othewise this will lead to a pretty simple DOS attack.
+      // See more: https://github.com/zeit/next.js/issues/2617
+      '/_next/:path*': async (req, res, params) => {
         const p = join(__dirname, '..', 'client', ...(params.path || []))
         await this.serveStatic(req, res, p)
       },
 
-      '/static/:path?': async (req, res, params) => {
+      // It's very important keep this route's param optional.
+      // (but it should support as many as params, seperated by '/')
+      // Othewise this will lead to a pretty simple DOS attack.
+      // See more: https://github.com/zeit/next.js/issues/2617
+      '/static/:path*': async (req, res, params) => {
         const p = join(this.dir, 'static', ...(params.path || []))
         await this.serveStatic(req, res, p)
       }
diff --git a/test/integration/production/static/data/item.txt b/test/integration/production/static/data/item.txt
new file mode 100644
index 000000000000..a71307425348
--- /dev/null
+++ b/test/integration/production/static/data/item.txt
@@ -0,0 +1 @@
+item
\ No newline at end of file
diff --git a/test/integration/production/test/index.test.js b/test/integration/production/test/index.test.js
index 40eb47a1c569..5d3a715ff773 100644
--- a/test/integration/production/test/index.test.js
+++ b/test/integration/production/test/index.test.js
@@ -77,4 +77,15 @@ describe('Production Usage', () => {
       browser.close()
     })
   })
+
+  describe('Misc', () => {
+    it('should allow to access /static/ and /_next/', async () => {
+      // This is a test case which prevent the following issue happening again.
+      // See: https://github.com/zeit/next.js/issues/2617
+      await renderViaHTTP(appPort, '/_next/')
+      await renderViaHTTP(appPort, '/static/')
+      const data = await renderViaHTTP(appPort, '/static/data/item.txt')
+      expect(data).toBe('item')
+    })
+  })
 })