httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Apache Wiki <wikidi...@apache.org>
Subject [Httpd Wiki] Update of "DoS" by GuillermoGrandes
Date Fri, 29 Apr 2011 11:54:12 GMT
Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Httpd Wiki" for change notification.

The "DoS" page has been changed by GuillermoGrandes.
The comment on this change is: Update CPU drain.
http://wiki.apache.org/httpd/DoS?action=diff&rev1=8&rev2=9

--------------------------------------------------

  
  The slowloris author notes that the script was ineffective running on Windows, because it
only made about 130 concurrent outgoing connections.  I observed similar limitations on *X
platforms: on Opensolaris it was 252, and on Linux it was 1020.  I suspect those could be
varied by tuning the host's kernel parameters and/or the Perl build, but I haven't investigated
that.
  
- The slowloris script is also a big CPU drain on its own host.  Running it on my opensolaris
box, it took around 50% of the CPU (as shown by top(1)) to hold 252 connections open and trickle
data.  On linux it was over 99% to hold 1020 connections.  Running both slowloris and apache
on the linux box, apache responded effortlessly to /server-status requests while servicing
the slowloris attack, all while sharing the <1% of CPU left by slowloris with top and the
Gnome desktop.
+ --(The slowloris script is also a big CPU drain on its own host.  Running it on my opensolaris
box, it took around 50% of the CPU (as shown by top(1)) to hold 252 connections open and trickle
data.  On linux it was over 99% to hold 1020 connections.  Running both slowloris and apache
on the linux box, apache responded effortlessly to /server-status requests while servicing
the slowloris attack, all while sharing the <1% of CPU left by slowloris with top and the
Gnome desktop.)--
+ 
+ ['''Update: 29.Apr.2011'''] slowloris-perl can be patched (1 line) to reduce CPU drain...
(only use 2%, 500 connections in linux-box/threaded, this crash typical server in 15 seconds)
  
  MaxClients
  
- Based in this observation, a sufficient (albeit clumsy) defence against a single attacker
is to raise maxclients.
- This is probably a good idea in any case: the defaults shipped by apache and at least some
packagers go back to a time when an average server might have 32Mb RAM!  However, it may create
a conflict with applications running on the webserver that cannot reasonably support large
numbers of concurrent clients.
+ --(Based in this observation, a sufficient (albeit clumsy) defence against a single attacker
is to raise maxclients. This is probably a good idea in any case: the defaults shipped by
apache and at least some packagers go back to a time when an average server might have 32Mb
RAM!)--  170 clientes drain almost 1Gb-RAM. However, it may create a conflict with applications
running on the webserver that cannot reasonably support large numbers of concurrent clients.
  
  Raising MaxClients
  
@@ -27, +28 @@

  
  Timeout
  
+ In [[http://mail-archives.apache.org/mod_mbox/httpd-users/200711.mbox/<22A657FA-0346-47F3-A72F-61EAEEF3F5AE@apache.org>|http://mail-archives.apache.org/mod_mbox/httpd-users/200711.mbox/%3C22A657FA-0346-47F3-A72F-61EAEEF3F5AE@apache.org%3E]]
, Sander Temme wrote: ''If you're being DOS attacked by trickle requests, you could try  
setting a very low timeout (default is 5 minutes which doesn't seem   to be working for you)
and perhaps use mod_evasive or somesuch to   flag and firewall the bad clients.'' TBD: put
some numbers to "low timeout".
- In http://mail-archives.apache.org/mod_mbox/httpd-users/200711.mbox/%3C22A657FA-0346-47F3-A72F-61EAEEF3F5AE@apache.org%3E
, Sander Temme wrote:
- ''If you're being DOS attacked by trickle requests, you could try  
- setting a very low timeout (default is 5 minutes which doesn't seem  
- to be working for you) and perhaps use mod_evasive or somesuch to  
- flag and firewall the bad clients.''
- TBD: put some numbers to "low timeout".
- 
  
  Resource limits
  

---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org


Mime
View raw message