Return-Path: 
 <dev-return-64828-apmail-httpd-dev-archive=httpd.apache.org@httpd.apache.org>
Delivered-To: apmail-httpd-dev-archive@www.apache.org
Received: (qmail 27779 invoked from network); 25 Jun 2009 13:40:13 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3)
  by minotaur.apache.org with SMTP; 25 Jun 2009 13:40:13 -0000
Received: (qmail 24090 invoked by uid 500); 25 Jun 2009 13:40:23 -0000
Delivered-To: apmail-httpd-dev-archive@httpd.apache.org
Received: (qmail 24015 invoked by uid 500); 25 Jun 2009 13:40:22 -0000
Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@httpd.apache.org
list-help: <mailto:dev-help@httpd.apache.org>
list-unsubscribe: <mailto:dev-unsubscribe@httpd.apache.org>
List-Post: <mailto:dev@httpd.apache.org>
List-Id: <dev.httpd.apache.org>
Delivered-To: mailing list dev@httpd.apache.org
Received: (qmail 24006 invoked by uid 99); 25 Jun 2009 13:40:22 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 25 Jun 2009 13:40:22 +0000
X-ASF-Spam-Status: No, hits=1.2 required=10.0
	tests=SPF_NEUTRAL
X-Spam-Check-By: apache.org
Received-SPF: neutral (nike.apache.org: local policy)
Received: from [80.229.52.226] (HELO opensolaris.local) (80.229.52.226)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 25 Jun 2009 13:40:13 +0000
Received: from [127.0.0.1] (opensolaris.local [127.0.0.1])
	by opensolaris.local (8.14.3+Sun/8.14.3) with ESMTP id n5PDdo2K009674
	for <dev@httpd.apache.org>; Thu, 25 Jun 2009 14:39:51 +0100 (BST)
Message-ID: <4A437E26.2050103@webthing.com>
Date: Thu, 25 Jun 2009 14:39:50 +0100
From: Nick Kew <nick@webthing.com>
User-Agent: Thunderbird 2.0.0.21 (X11/20090323)
MIME-Version: 1.0
To: dev@httpd.apache.org
Subject: mod_noloris: mitigating against slowloris-style attack
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Virus-Checked: Checked by ClamAV on apache.org

I was just thinking about a quick&dirty fix we could offer
to admins who are suddenly concerned about DoS attack.

The following, backed by dbm or memcache and assuming configurable
default and per-host concurrent connection limits, looks like an
outline candidate and works as a module:

static int noloris_conn(conn_rec *conn)
{
     /* kludge: just limit the number of connections per-ip */
     /* increment num-conn-from-host
      * register pool cleanup to decrement it
      * limit = per-host-limit || default-limit
      * if (num-conn > limit) {
      *     drop connection;
      *     return OK;
      * }
     return DECLINED;
}
static void noloris_hooks(apr_pool_t *p)
{
     ap_hook_process_connection(noloris_conn, NULL, NULL, APR_HOOK_FIRST);
}

Is this worth hacking up, or more trouble than it saves?

-- 
Nick Kew