httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ruediger Pluem <>
Subject Re: mod_noloris: mitigating against slowloris-style attack
Date Thu, 25 Jun 2009 17:43:53 GMT

On 06/25/2009 04:19 PM, Nick Kew wrote:
> Plüm, Rüdiger, VF-Group wrote:
>>> Is this worth hacking up, or more trouble than it saves?
>> I guess the approach is good, but there are already modules in the
>> wild that provide this. So the question is: Should we do our own?
>> BTW: I remember that there was a request a while ago to move
>> mod_limitipconn
>> (one of those modules) inside httpd, but I haven't got the archives
>> at hand right now to check. Maybe an idea to come back to this.
> mod_limitipconn works at the request level, so won't help with
> slowloris-style attacks.  Same goes for mod_evasive - someone
> posted "mod_evasive doesn't help" on users@, and that'll be why.

I have and use a patch that hooks it up to the preconnection hook
and checks if the number of connections from the IP of the connection
that are in read state breaks a certain limit. If yes, the connection
is closed.
So this is fixable in principle.
But I must admit that my patch is very old and I don't know if it
still follows my current quality requirements for the httpd project :-).
Plus it is against an old version. But the only real problem that I
see here is that I am like others currently working very close to ENOTIME.



View raw message