httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Fritsch>
Subject Re: mod_reqtimeout: mitigating against slowloris-style attack (different approach)
Date Sun, 06 Sep 2009 20:38:01 GMT
On Tuesday 01 September 2009, Ruediger Pluem wrote:
> I guess
> reqtimeout_after_body
> also needs to be updated to the assert / do nothing if not
>  configured logic like reqtimeout_after_headers

Thanks, I missed that. I fixed it and also added support for minimum 
upload rates:


RequestHeaderTimeout initialTimeout [maxTimeout]
RequestHeaderMinRate minRate

will now set the timeout to initialTimeout. Whenever data is received, 
the timeout is increased according to minRate, but not to a value 
larger than maxTimeout. If RequestHeaderMinRate is not present, 
maxTimeout will be ignored.

The same goes for the Body* directives.

The new version is again at

@Nick: I now had also a brief look at mod_evasive, mod_cband and 

mod_evasive does only request-level checking and cannot defend against 
slowloris style attacks.

mod_cband only provides upper bandwidth and connection limits.

mod_qos has minimum upload rates and per IP connection limits and much 
more. However, it is much more heavy weight than mod_reqtimeout. The 
source code is about 20 times larger, it uses many mutexes, etc.  
Therefore I think mod_reqtimeout still has its use cases. And it's far 
easier to review, too ;-)


View raw message