33

Recently a script called "slowloris" has gained attention. The basic concept of what slowloris does is not a new attack but given the recent attention I have seen a small increase in attacks against some of our Apache websites.

At the moment there does not appear to be any 100% defence against this.

The best solution we have determined (so far) is to increase MaxClients.

This of course does nothing more than increase the requirements for the attacker's computer and does not actually protect the server 100%.

One other report indicates that using a reverse proxy (such as Perlbal) in front of the Apache server can help prevent the attack.

Using mod_evasive to limit the number of connections from one host and use mod_security to deny requests that look like they were issued by slowloris seem to be the best defence so far.

Has anyone on ServerFault been experiencing attacks such as this? If so, what measures did you implement to defend/prevent it?

NOTE: This question is for Apache servers as it is my understanding that Windows IIS servers are not affected.

KPWINC
  • 11,274
  • 3
  • 36
  • 44

7 Answers7

24

I experienced such attack ... in the middle of midsummer (23th of June), where you are supposed to be in the countryside and drink beer :>

I put my Apache behind Varnish, which not only protected from slowloris, but also accelerated web requests quite a bit.

Also, iptables helped me:

iptables -I INPUT -p tcp --dport 80 \
         -m connlimit --connlimit-above 20 --connlimit-mask 40 -j DROP

This rule limits one host to 20 connections to port 80, which should not affect non-malicious user, but would render slowloris unusable from one host.

Bagus Tesa
  • 123
  • 1
  • 7
Kristaps
  • 2,925
  • 16
  • 22
  • 4
    +1 for the iptables rule. – Tim Jun 26 '09 at 22:39
  • 1
    Just a heads up. "Out of the box", varnish doesn't cache pages if it received cookies. You need to do some custom configuration to get around this. Examples are available on their site and are easy to implement. – David Jun 28 '09 at 00:57
  • Varnish is quite programmable, so you may be able to configure it to see what's happening and deal with it. However, I think that by putting a proxy in front of apache, your just moving the problem from the web server to the proxy. The problem is still there, just in a different place. Connections/ports will still be used up. I'd start with the iptables rule listed (or the the equivalent for your firewall) then look at a proxy. – David Jun 28 '09 at 01:08
  • 1
    the issue with the sloworis attack is limited to apache's multi threading model (and several other webservers that use a similar model). Varnish should survive that. – Cian Jul 13 '09 at 18:44
  • Unless you are using IPv6 (highly unlikely, since the question is quite old), a `connlimit-mask` above 32 doesn't really make a lot of sense. 32 should be fine. – Bogd Feb 23 '21 at 07:13
4

mod_antiloris, simple as that.

tpml7
  • 479
  • 1
  • 5
  • 21
LiraNuna
  • 291
  • 2
  • 16
3

If all your apache modules are thread safe, slowloris can be defeated simply by switching to event or worker MPMs. ref: here

Cian
  • 5,777
  • 1
  • 27
  • 40
0

Right now it seems that there's nothing more to do that limiting the max concurrent connexions per ip on the server.

Maxwell
  • 5,026
  • 1
  • 25
  • 31
0

There's a user patch you can try. It modifies the timeout based on the load the server is under, but considering its status, you might not want to use it on a production machine, without some serious testing. Take a look here.

Dentrasi
  • 3,672
  • 23
  • 19
0

iptable based firewall should protect you from multiple connections from 1 ip.

0

If this helps anyone else, you can sometimes overcome this issue with Apache 2.2.15 or greater with the following configuration:

LoadModule reqtimeout_module modules/mod_reqtimeout.so
RequestReadTimeout header=20-40,MinRate=500 body=20,MinRate=500

More info here: https://httpd.apache.org/docs/2.2/mod/mod_reqtimeout.html

MrCarrot
  • 345
  • 1
  • 4
  • 13