httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From nikhil kohli <>
Subject Re: slowloris DoS attack-How to check time taken by server for reading a request
Date Wed, 02 Sep 2009 07:49:41 GMT
Thanks for the reply.

I just checked the size of the requests issued by slowloris, it is
very samll as comapred to the valid requests. So i was wondering if we
can adjust the timeout according the request length.

The idea is set to low timeout for the request lengths lower than a
threshold value. Please help me understand the consequences of such an

Thanks and regards,

On Tue, Sep 1, 2009 at 5:08 PM, Eric Covener <> wrote:
> On Tue, Sep 1, 2009 at 5:58 AM, nikhil kohli<> wrote:
> > 1. Can we mitigate the issue using iptables only?
> That seems to be the conventional wisdom.
> > 2. Even mod_noloris.c is vulnerable to slowloris attack, will there be a
> > change in approach for solving this in future?
> People seem to be working on it from a few angles, and there are
> already multiple modules that address it -- I wouldn't call this one
> authoritative or final in any way.
> > 3. Is there a way to delay the process of creating connection until whole
> > header is received?
> I don't think so, can you elaborate on what you mean by creating a connection?
> > 4. How to check time taken by server for reading the request?
> The core notes the time when the request line is read, but not when
> all the headers are done.  Modules are can easily note these times
> though by springing to life in the right hook.
> These types of questions are better posed on
> > Also, may i know if apache team acknowledge slowloris as issue or not?
> Can't speak for anyone else, but it seems to be acknowledged mostly as
> a scalability/optimization issue which has already been on the radar
> (and only as a pressing issue at the firewall level)
> --
> Eric Covener

View raw message