httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Weibin Yao <nbubi...@gmail.com>
Subject Re: Mitigating the Slowloris DoS attack
Date Tue, 23 Jun 2009 02:40:59 GMT
William A. Rowe, Jr. at 2009-6-23 2:00 wrote:
> Andreas Krennmair wrote:
>   
>> * Guenter Knauf <fuankg@apache.org> [2009-06-22 04:30]:
>>     
>>> wouldnt limiting the number of simultanous connections from one IP
>>> already help? F.e. something like:
>>> http://gpl.net.ua/modipcount/downloads.html
>>>       
>> Not only would this be futile against the Slowloris attack (imagine n
>> connections from n hosts instead of n connections from 1 host), it would
>> also potentially lock out groups of people behind the same NAT gateway.
>>     
>
> FWIW mod_remoteip can be used to partially mitigate the weakness of this
> class of solutions.
>
> However, it only works for known, trusted proxies, and can only be safely
> used for those with public IP's.  Where the same 10.0.0.5 on your private
> NAT backed becomes the same 10.0.0.5 within the apache server's DMZ, the
> issues like Allow from 10.0.0.0/8 become painfully obvious.  I haven't
> found a good solution, but mod_remoteip still needs one, eventually.
>
>   
I have an idea to mitigate the problem: put the Nginx as a reverse proxy 
server in the front of apache.

-- 
Weibin Yao


Mime
View raw message