httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nick Kew <n...@webthing.com>
Subject Re: mod_reqtimeout: mitigating against slowloris-style attack (different approach)
Date Mon, 31 Aug 2009 23:05:22 GMT
Stefan Fritsch wrote:
> Hi,
> 
> since there was some doubt that the mod_antiloris and mod_noloris 
> modules use the correct approach against slowloris type attacks, I 
> hacked up something different.  mod_reqtimeout allows to set timeouts 
> for the reading request and reading body phases.  It is implemented as 
> an input connection filter that sets the socket timeout so that the 
> total request time does not exceed the timeout value. I have done only 
> limited testing but it seems to work (with prefork).  The source is 
> here:
> 
> http://www.sfritsch.de/mod_reqtimeout/mod_reqtimeout.c

On a quick glance: interesting approach, thanks for posting.
How does it relate to the Timeout directive?

One comment: you're returning APR_EGENERAL if there's no config.
I'd strongly suggest you always do-nothing if not configured.
Or if not-configured is a can't-happen event, catch it with
an ap_assert.

> - Is this a reasonable approach or did I overlook something important? 
> If the former, would you consider including something like it with 
> httpd?

Would need think-time to answer that (and it's way too noisy to think
here).

> - How do I prevent the filter from being inserted for other protocols 
> (echo, ftp)?

Make it check the port, and do-nothing if it's not configured to act
on that port.

> - Obviously the body read timeout is only useful for sites that do not 
> allow file uploads. But an extension to a minimum body transfer rate 
> would probably be possible. Also, it would be possible to make the 
> body read timeout configurable by direcory, which may be useful if 
> file uploads are only allowed by authorized users.

The body part probably overlaps with what existing modules like
mod_evasive and the bandwidth-management modules do.  Have you
looked at them?

> - This does not defend against attacks like: HEAD request, wait, HEAD 
> request, wait, ... But the keepalive timeout can be tuned for that.
> 
> - If you test it under linux or *bsd, don't get confused by the accept 
> filter.
> 
> - Apache should respond with HTTP_REQUEST_TIME_OUT and not 
> HTTP_BAD_REQUEST when there is a timeout reading the request.

In the slowloris case, it needs to time out before there's any such
thing as an HTTP request, so it won't be sending an HTTP response.
But I guess you're talking about the body timeout?

-- 
Nick Kew

Mime
View raw message