httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dirk-Willem van Gulik <di...@webweaving.org>
Subject Re: Mitigating the Slowloris DoS attack
Date Mon, 22 Jun 2009 08:06:47 GMT
Guenter Knauf wrote:


> Hi Andreas,
> Andreas Krennmair schrieb:

>> For those who are still unaware of the Slowloris attack, it's a
>> denial-of-service attack that consumes Apache's resources by opening up
>> a great number of parallel connections and slowly sending partial
....
>> attack including a PoC tool was published here:
>> http://ha.ckers.org/slowloris/
>>
>> I thought for some time about the whole issue, and then I developed a
>> proof-of-concept patch for Apache 2.2.11 (currently only touches the
>> prefork MPM), which you can download here:
>> http://synflood.at/tmp/anti-slowloris.diff

> wouldnt limiting the number of simultanous connections from one IP
> already help? F.e. something like:
> http://gpl.net.ua/modipcount/downloads.html

Keep in mind that, if this attack turns into a real issue, it is likely 
to be through a vector like botnets. It is pretty common* to see lots of 
bits behind a single (corporate) NAT gateway.

You would not nessesarily want to penalize an entire interanet for their 
lack of security that way. That is not our job :).

Also - these things are only a problem when the server is resource tight 
- and even then - it could be modified to just invest little at that 
point -- either by having a different accept mechanism -or- by detecting 
sluggishness and then hading the connection back to something more 
async/single-threaded which deals with all slow connections - freeing up 
the 'full' worker for real work.

Dw

*: e.g. see the conflicker stats.

Mime
View raw message