Overview
The Slowloris attack attempts to open a large number of connections with a web server. Then, the attacker holds those connections open for as long as possible. A web server can only provide service to a finite number of clients. After the Slowloris attack consumes all of the available connections on a server, other clients cannot reach its sites.
To accomplish this, the Slowloris program opens a connection to the web server and sends a partial request. Then, it sends additional HTTP headers to add to those requests, but not complete them. This process eventually fills the maximum number of concurrent connections, which will deny additional connections from other clients.
This document provides several methods to mitigate the impact of Slowloris attacks.
For more information about Slowloris attacks, read Wikipedia Slowloris article.
The recommended method
- The
mod_reqtimeout
module is available for Apache version 2.2. - On systems that run EasyApache 3, you can install the
mod_reqtimeout
module as an opt mod.
Place any configurations that you wish to use the mod_reqtimeout
module in the /usr/local/apache/conf/includes/pre_main_global.conf
file.
The following example configuration demonstrates how you can use the mod_reqtimeout
module:
|
|
This configuration will wait up to 20 seconds for header data. As long as the client sends header data at a rate of 500 bytes per second, the server will wait for up to 40 seconds for the headers to complete.
This configuration will also wait up to 20 seconds for body data. As long as the client sends header data at a rate of 500 bytes per second, the server will wait for up to 40 seconds for the body of the request to complete.
For more information, read Apache’s ModReqtimeout Documentation.
The second method
- The
mod_qos.c
module is only available for systems that run EasyApache 3. We no longer support EasyApache 3 as of December 31, 2018. We strongly recommend that you upgrade to EasyApache 4. - The
mod_qos.c
module is available for Apache version 2.0 and later, but we recommend that you use Apache version 2.2 or later.
The following example demonstrates how to configure the mod_qos.c
module to mitigate Slowloris attacks:
|
|
This example configuration will enforce the following behavior:
MaxClients
— This setting limits the maximum number of connections to 256.QS_ClientEntries
— This setting tracks up to 100,000 connections.QS_SrvMaxConnPerIP
— This setting limits each IP address to a maximum number of 50 connections.QS_SrvMaxConnClose
— This setting disables the KeepAlive function when at least 180 connections exist.QS_SrvMinDataRate
— This setting requires a minimum of 150 bytes per second per connection, and limits the connection to 1200 bytes per second when the server reaches theMaxClients
limit.