httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Fritsch>
Subject Re: mod_reqtimeout: mitigating against slowloris-style attack (different approach)
Date Tue, 01 Sep 2009 06:42:56 GMT
On Tuesday 01 September 2009, Nick Kew wrote:
> How does it relate to the Timeout directive?

The Timeout directive sets the maximum time between two packets. 
mod_requtimeout will set the socket timeout to the minumum of 
{Timeout, time left for the current request}. You can set 
RequestTimeout to much lower values than Timeout and it still works as 

> One comment: you're returning APR_EGENERAL if there's no config.
> I'd strongly suggest you always do-nothing if not configured.
> Or if not-configured is a can't-happen event, catch it with
> an ap_assert.

Not-configured should not happen and would be a bug, I will change it 
to ap_assert.

> > - Obviously the body read timeout is only useful for sites that
> > do not allow file uploads. But an extension to a minimum body
> > transfer rate would probably be possible. Also, it would be
> > possible to make the body read timeout configurable by direcory,
> > which may be useful if file uploads are only allowed by
> > authorized users.
> The body part probably overlaps with what existing modules like
> mod_evasive and the bandwidth-management modules do.  Have you
> looked at them?

I haven't looked very closely at them. But from the descriptions it 
looked like they defend against too much traffic/requests. I try to 
defend against connections with very little traffic.

And unless they fiddle with the socket timeout too, they are limited 
by the value of the Timeout directive. Once apache is in a blocking 
read, the modules can't do anything until the timeout expires. When 
Timeout is set to a large value like 300s (e.g. because of mod_cgi), 
mod_reqtimeout can still limit the maximum time for reading the body 
to a much lower value (like 15s for sites that have only forms and no 
file uploads).

I also start counting the bodytimeout only when there is the first 
read for the body. That way the time needed by apache to process the 
request is not included.

> > - Apache should respond with HTTP_REQUEST_TIME_OUT and not
> > HTTP_BAD_REQUEST when there is a timeout reading the request.
> In the slowloris case, it needs to time out before there's any such
> thing as an HTTP request, so it won't be sending an HTTP response.
> But I guess you're talking about the body timeout?

No, about the request. When apache has received at least one line of 
the request, it currently responds with HTTP_BAD_REQUEST when there is 
a timeout before the complete request was read. In this case 
HTTP_REQUEST_TIME_OUT is more appropriate. It means "the client did 
not produce a request within the time that the server was prepared to 

View raw message