httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Gonzalo Arana <gonzalo.ar...@gmail.com>
Subject Re: mod_noloris: mitigating against slowloris-style attack
Date Wed, 01 Jul 2009 13:32:43 GMT
On Wed, Jul 1, 2009 at 9:49 AM, Nick Kew<nick@webthing.com> wrote:
> Gonzalo Arana wrote:
>>
>> Hi,
>>
>> Keeping whitelist up to date is rather tricky.
>>
>> How about having any/all of these directives?
>>
>> # time between accept(2) call and the full request has been read.
>> RequestTimeout   1
>>
>> # minimum bandwith the user should have available to access this server.
>> MinInRate             2KB/s
>> MinOutRate             3KB/s
>
> That'll completely exclude people on slow connections!

The RequestTimeout could aid in telling appart slow connections from
slowloris attack.

Is there any other way to tell apart a slow connection from slowloris
attack without keeping a whitelist?

The purpose of having this value tunable via a directive is to let any
sysadmin to change this value.

> But it's something you could implement in a bandwidth-management
> module.

I agree.

>> One extra note: it would be good to let these Min{In,Out}Rate be
>> overriden for large files (audio/video files, for instance).
>
> You don't have anything as specific as a file in a slowloris-type
> attack.  You appear to be envisaging something much closer to
> various (existing, third-party) bandwidth-management modules.

I know the slowloris attack do not depend on the file size.
MinOutRate could be raised on some cases anyway.

These directives resemble bandwith-managment, but wouldn't this help
on the slowloris attack, without adding the need for a whitelist
managment?

>
> --
> Nick Kew
>

Best regards,

-- 
Gonzalo A. Arana

Mime
View raw message