httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eric Covener <>
Subject Re: slowloris DoS attack-How to check time taken by server for reading a request
Date Tue, 01 Sep 2009 11:38:35 GMT
On Tue, Sep 1, 2009 at 5:58 AM, nikhil kohli<> wrote:

> 1. Can we mitigate the issue using iptables only?

That seems to be the conventional wisdom.

> 2. Even mod_noloris.c is vulnerable to slowloris attack, will there be a
> change in approach for solving this in future?

People seem to be working on it from a few angles, and there are
already multiple modules that address it -- I wouldn't call this one
authoritative or final in any way.

> 3. Is there a way to delay the process of creating connection until whole
> header is received?

I don't think so, can you elaborate on what you mean by creating a connection?

> 4. How to check time taken by server for reading the request?

The core notes the time when the request line is read, but not when
all the headers are done.  Modules are can easily note these times
though by springing to life in the right hook.

These types of questions are better posed on

> Also, may i know if apache team acknowledge slowloris as issue or not?

Can't speak for anyone else, but it seems to be acknowledged mostly as
a scalability/optimization issue which has already been on the radar
(and only as a pressing issue at the firewall level)

Eric Covener

View raw message