httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Matthieu Estrade <mestr...@apache.org>
Subject Re: Mitigating the Slowloris DoS attack
Date Mon, 22 Jun 2009 21:46:02 GMT
Hi,

How about coding a module looking how many bytes are read and if there
is too little chunk of data, close the connection.
Something like a MinDataReadSize. If the read() function read too little
data, close() the socket... Dunno if it's possible to hook directly in
connection hook to do this...

Matthieu

William A. Rowe, Jr. wrote:
> Andreas Krennmair wrote:
>> * Guenter Knauf <fuankg@apache.org> [2009-06-22 04:30]:
>>> wouldnt limiting the number of simultanous connections from one IP
>>> already help? F.e. something like:
>>> http://gpl.net.ua/modipcount/downloads.html
>> Not only would this be futile against the Slowloris attack (imagine n
>> connections from n hosts instead of n connections from 1 host), it would
>> also potentially lock out groups of people behind the same NAT gateway.
> 
> FWIW mod_remoteip can be used to partially mitigate the weakness of this
> class of solutions.
> 
> However, it only works for known, trusted proxies, and can only be safely
> used for those with public IP's.  Where the same 10.0.0.5 on your private
> NAT backed becomes the same 10.0.0.5 within the apache server's DMZ, the
> issues like Allow from 10.0.0.0/8 become painfully obvious.  I haven't
> found a good solution, but mod_remoteip still needs one, eventually.
> 


Mime
View raw message