httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nerius Landys <>
Subject Re: [users@httpd] slowloris mitigation
Date Wed, 14 Apr 2010 22:37:57 GMT
> Posted to users@ (as well as dev@) in case anyone wants to
> report experiences - good or bad - on using it.

I have tried using various Apache modules to address possibilities of
Slowloris attacks.  Finally, after not being satisfied with what
existing modules had to offer, I ended up using operating system
firewall rules to limit the number of concurrent TCP connections from
any given IP address.  The firewall solution (using OpenBSD Packet
Filter) was not perfect either, because connections in a FIN_WAIT_2
state are counted towards the "open connection number", and they
linger for about a minute.  What I really wanted was a limit on the
number of established TCP connections from any single IP address.

The problem I had with existing Apache modules (I forget which ones
exactly I tried) is that they forked a child process for incoming
connections, and then only after forking did they close the connection
under certain conditions.  What I really wanted was the ability to
_not_ fork a child process for an incoming TCP connection from an IP
address if there already exist N number of established TCP connections
from that IP address.  Perhaps due to the limitations of Apache's
architecture (??) it's not possible to control whether a TCP
connection causes a fork (??) via custom module.  Since Apache forks
always, regardless of what the anti-loris modules did afterwards, the
max children in Apache can be reached quickly and that would cause a
denial of service until the children would be freed up.  Is it
possible to write a module that prevents a fork altogether as

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message