httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Weibin Yao <>
Subject Re: Mitigating the Slowloris DoS attack
Date Tue, 23 Jun 2009 02:40:59 GMT
William A. Rowe, Jr. at 2009-6-23 2:00 wrote:
> Andreas Krennmair wrote:
>> * Guenter Knauf <> [2009-06-22 04:30]:
>>> wouldnt limiting the number of simultanous connections from one IP
>>> already help? F.e. something like:
>> Not only would this be futile against the Slowloris attack (imagine n
>> connections from n hosts instead of n connections from 1 host), it would
>> also potentially lock out groups of people behind the same NAT gateway.
> FWIW mod_remoteip can be used to partially mitigate the weakness of this
> class of solutions.
> However, it only works for known, trusted proxies, and can only be safely
> used for those with public IP's.  Where the same on your private
> NAT backed becomes the same within the apache server's DMZ, the
> issues like Allow from become painfully obvious.  I haven't
> found a good solution, but mod_remoteip still needs one, eventually.
I have an idea to mitigate the problem: put the Nginx as a reverse proxy 
server in the front of apache.

Weibin Yao

View raw message