httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Fritsch ...@sfritsch.de>
Subject Re: mod_reqtimeout: mitigating against slowloris-style attack (different approach)
Date Sun, 06 Sep 2009 20:38:01 GMT
On Tuesday 01 September 2009, Ruediger Pluem wrote:
> I guess
> 
> reqtimeout_after_body
> 
> also needs to be updated to the assert / do nothing if not
>  configured logic like reqtimeout_after_headers
> 

Thanks, I missed that. I fixed it and also added support for minimum 
upload rates:

This

RequestHeaderTimeout initialTimeout [maxTimeout]
RequestHeaderMinRate minRate

will now set the timeout to initialTimeout. Whenever data is received, 
the timeout is increased according to minRate, but not to a value 
larger than maxTimeout. If RequestHeaderMinRate is not present, 
maxTimeout will be ignored.

The same goes for the Body* directives.

The new version is again at
http://www.sfritsch.de/mod_reqtimeout/

@Nick: I now had also a brief look at mod_evasive, mod_cband and 
mod_qos.

mod_evasive does only request-level checking and cannot defend against 
slowloris style attacks.

mod_cband only provides upper bandwidth and connection limits.

mod_qos has minimum upload rates and per IP connection limits and much 
more. However, it is much more heavy weight than mod_reqtimeout. The 
source code is about 20 times larger, it uses many mutexes, etc.  
Therefore I think mod_reqtimeout still has its use cases. And it's far 
easier to review, too ;-)

Cheers,
Stefan

Mime
View raw message