How to Mitigate Slowloris Attacks

Overview

The Slowloris attack attempts to open a large number of connections with a web server. Then, the attacker holds those connections open for as long as possible. A web server can only provide service to a finite number of clients. After the Slowloris attack consumes all of the available connections on a server, other clients cannot reach its sites.

To accomplish this, the Slowloris program opens a connection to the web server and sends a partial request. Then, it sends additional HTTP headers to add to those requests, but not complete them. This process eventually fills the maximum number of concurrent connections, which will deny additional connections from other clients.

This document provides several methods to mitigate the impact of Slowloris attacks.

For more information about Slowloris attacks, read Wikipedia Slowloris article.

The recommended method

Place any configurations that you wish to use the mod_reqtimeout module in the /usr/local/apache/conf/includes/pre_main_global.conf file.

The following example configuration demonstrates how you can use the mod_reqtimeout module:

1
2
3

<IfModule mod_reqtimeout.c>
   RequestReadTimeout header=20-40,MinRate=500 body=20-40,MinRate=500
</IfModule>

This configuration will wait up to 20 seconds for header data. As long as the client sends header data at a rate of 500 bytes per second, the server will wait for up to 40 seconds for the headers to complete.

This configuration will also wait up to 20 seconds for body data. As long as the client sends header data at a rate of 500 bytes per second, the server will wait for up to 40 seconds for the body of the request to complete.

For more information, read Apache’s ModReqtimeout Documentation.

The second method

The following example demonstrates how to configure the mod_qos.c module to mitigate Slowloris attacks:

1
2

<IfModule mod_qos.c> # handles connections from up to 100000 different IPs QS_ClientEntries 100000 # will allow only 50 connections per IP QS_SrvMaxConnPerIP 50 # maximum number of active TCP connections is limited to 256 MaxClients 256 # disables keep-alive when 70% of the TCP connections are occupied: QS_SrvMaxConnClose 180 # minimum request/response speed (deny slow clients blocking the server, ie. slowloris keeping connections open without requesting anything): QS_SrvMinDataRate 150 1200 # and limit request header and body (careful, that limits uploads and post requests too): # LimitRequestFields 30 # QS_LimitRequestBody 102400
</IfModule>

This example configuration will enforce the following behavior:

• MaxClients — This setting limits the maximum number of connections to 256.
• QS_ClientEntries — This setting tracks up to 100,000 connections.
• QS_SrvMaxConnPerIP — This setting limits each IP address to a maximum number of 50 connections.
• QS_SrvMaxConnClose — This setting disables the KeepAlive function when at least 180 connections exist.
• QS_SrvMinDataRate — This setting requires a minimum of 150 bytes per second per connection, and limits the connection to 1200 bytes per second when the server reaches the MaxClients limit.