httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Graham Dumpleton <>
Subject Re: Mitigating the Slowloris DoS attack
Date Mon, 22 Jun 2009 03:54:32 GMT
2009/6/22 Guenter Knauf <>:
> Hi Andreas,
> Andreas Krennmair schrieb:
>> For those who are still unaware of the Slowloris attack, it's a
>> denial-of-service attack that consumes Apache's resources by opening up
>> a great number of parallel connections and slowly sending partial
>> requests, never completing them. Since Apache limits the number of
>> parallel clients it serves (the MaxClients setting), this blocks further
>> requests from being completed. Unlike other "traditional" TCP DoS
>> attacks, this HTTP-based DoS attack requires only very little network
>> traffic in order to be effective.  Information about the Slowloris
>> attack including a PoC tool was published here:
>> I thought for some time about the whole issue, and then I developed a
>> proof-of-concept patch for Apache 2.2.11 (currently only touches the
>> prefork MPM), which you can download here:
> wouldnt limiting the number of simultanous connections from one IP
> already help? F.e. something like:

Not if the attack is launched from a botnet, which is the more likely
scenario for people who really want to hide their tracks.

BTW, focus here seems to be on the reading of the request headers
themselves. Can't trickling of actual request content data to a URL
equally tie up handler threads. Either in the case where request
handler is doing the reads of request content, or for the case of
success status, by ap_discard_request_body() at the end of the request
and where HTTP/1.1 and keep alive requested.

The only difference really is that if done with request headers,
nothing would be logged about it in access logs, so not easy to track.


View raw message