8

i thought my server was safe with http-guardian but apparently not. Some smart arse keeps hitting my server with 'Keep-Dead' and causing it to crash.

I've looked through the logs but can't see anyway to tell the requests apart from a regular visitor who's browser is quickly loading all the components on a busy page.

Any advice would be appreciated.

Tom O'Connor
  • 27,440
  • 10
  • 72
  • 148
  • 1
    Oh sorry, I should have said. The only info I've managed to find on Keep-Dead so far is on http://www.esrun.co.uk/blog/keep-alive-dos-script/ . But it contains no hints about how to block it! –  Mar 21 '11 at 18:02
  • 2
    Pedantic Note: You're **never** safe. If someone wants to bad enough, they always will be able to get in. Period. – ircmaxell Mar 21 '11 at 18:04

2 Answers2

6

Disable HTTP keep-alive, or install a server that isn't effected by this as a proxy in front of Apache. Nginx would be a good choice here.

This attack appears to be similar to the Slowloris attack, in that it exploits a specific feature of Apache. It's pretty trivial to defend against.

Note: If you install nginx, disable keep-alive on apache, and keep it enabled on nginx.

devicenull
  • 5,572
  • 1
  • 25
  • 31
  • 3
    Isn't keep alive a pretty important feature? I could understand temporarily disabling it, but permanently? – TheLQ May 10 '11 at 22:54
  • 1
    It may result in slightly longer load times, but it's not like it's going to result in your site failing to load for people. Installing nginx in front is a far better solution. – devicenull May 11 '11 at 04:29
  • 1
    @devicenull Does this mean client will benefit from keepalive connection although apache (or upstream app server) disabled keepalive? So basically no need for app server, and proxy server to both enable keepalive? Thanks! – haxpor Jul 24 '18 at 07:32
  • @haxpor That's an interesting question, I wish someone would answer that. – Manuel Apr 27 '20 at 16:13
2

Keep-Dead works by sending HEAD requests while keeping the TCP connection alive (Keep-Alive, thus the name of the script). That is probably quite distinct from legit requests to your webserver that would probably mostly be POST/GET. Ask your IDS/IPS to detect numerous HEAD requests within a short timespan and do what's appropriate.

cathper
  • 21
  • 1