httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Fritsch ...@sfritsch.de>
Subject mod_reqtimeout: mitigating against slowloris-style attack (different approach)
Date Mon, 31 Aug 2009 22:43:53 GMT
Hi,

since there was some doubt that the mod_antiloris and mod_noloris 
modules use the correct approach against slowloris type attacks, I 
hacked up something different.  mod_reqtimeout allows to set timeouts 
for the reading request and reading body phases.  It is implemented as 
an input connection filter that sets the socket timeout so that the 
total request time does not exceed the timeout value. I have done only 
limited testing but it seems to work (with prefork).  The source is 
here:

http://www.sfritsch.de/mod_reqtimeout/mod_reqtimeout.c

Any comments are welcome. Some questions/thoughts:

- Is this a reasonable approach or did I overlook something important? 
If the former, would you consider including something like it with 
httpd?

- Would it work with mpm_event? Would it make sense to only insert it 
for ssl with mpm_event? If yes, how do I do that?

- How do I prevent the filter from being inserted for other protocols 
(echo, ftp)?

- Obviously the body read timeout is only useful for sites that do not 
allow file uploads. But an extension to a minimum body transfer rate 
would probably be possible. Also, it would be possible to make the 
body read timeout configurable by direcory, which may be useful if 
file uploads are only allowed by authorized users.

- This does not defend against attacks like: HEAD request, wait, HEAD 
request, wait, ... But the keepalive timeout can be tuned for that.

- If you test it under linux or *bsd, don't get confused by the accept 
filter.

- Apache should respond with HTTP_REQUEST_TIME_OUT and not 
HTTP_BAD_REQUEST when there is a timeout reading the request.

Cheers,
Stefan

Mime
View raw message