{"id":346,"date":"2021-07-23T12:28:12","date_gmt":"2021-07-23T12:28:12","guid":{"rendered":"https:\/\/ssdsunucum.com\/blog\/how-to-mitigate-slowloris-attacks\/"},"modified":"2021-07-23T12:28:12","modified_gmt":"2021-07-23T12:28:12","slug":"how-to-mitigate-slowloris-attacks","status":"publish","type":"post","link":"https:\/\/ssdsunucum.com\/blog\/how-to-mitigate-slowloris-attacks\/","title":{"rendered":"How to Mitigate Slowloris Attacks"},"content":{"rendered":"<\/p>\n<div class=\"col-md-9\">\n<div class=\"flex-column flex-md-row article-header\"><\/div>\n<hr>\n<h2 id=\"overview\">Overview<\/h2>\n<p>The Slowloris attack attempts to open a large number of connections with a web server. Then, the attacker holds those connections open for as long as possible. A web server can only provide service to a finite number of clients. After the Slowloris attack consumes all of the available connections on a server, other clients cannot reach its sites.<\/p>\n<p>To accomplish this, the Slowloris program opens a connection to the web server and sends a partial request. Then, it sends additional HTTP headers to add to those requests, but not complete them. This process eventually fills the maximum number of concurrent connections, which will deny additional connections from other clients.<\/p>\n<p>This document provides several methods to mitigate the impact of Slowloris attacks.<\/p>\n<p>For more information about Slowloris attacks, read Wikipedia Slowloris article.<\/p>\n<h2 id=\"the-recommended-method\">The recommended method<\/h2>\n<div class=\"callout callout-info\">\n<div class=\"callout-heading\">Note:<\/div>\n<div class=\"callout-content\">\n<ul>\n<li>The <code>mod_reqtimeout<\/code> module is available for Apache version 2.2.<\/li>\n<li>On systems that run EasyApache 3, you can install the <code>mod_reqtimeout<\/code> module as an opt mod.<\/li>\n<\/ul><\/div>\n<\/div>\n<p>Place any configurations that you wish to use the <code>mod_reqtimeout<\/code> module in the <code>\/usr\/local\/apache\/conf\/includes\/pre_main_global.conf<\/code> file.<\/p>\n<p>The following example configuration demonstrates how you can use the <code>mod_reqtimeout<\/code> module:<\/p>\n<div class=\"highlight\">\n<div style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4\">\n<table style=\"border-spacing:0;padding:0;margin:0;border:0;width:auto;overflow:auto;display:block;\">\n<tr>\n<td style=\"vertical-align:top;padding:0;margin:0;border:0;\">\n<pre style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4\"><code class=\"language-go\" data-lang=\"go\"><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\">1\n<\/span><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\">2\n<\/span><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\">3\n<\/span><\/code><\/pre>\n<\/td>\n<td style=\"vertical-align:top;padding:0;margin:0;border:0;;width:100%\">\n<pre style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4\"><code class=\"language-go\" data-lang=\"go\">&lt;<span style=\"color:#a6e22e\">IfModule<\/span> <span style=\"color:#a6e22e\">mod_reqtimeout<\/span>.<span style=\"color:#a6e22e\">c<\/span>&gt;\n   <span style=\"color:#a6e22e\">RequestReadTimeout<\/span> <span style=\"color:#a6e22e\">header<\/span>=<span style=\"color:#ae81ff\">20<\/span><span style=\"color:#f92672\">-<\/span><span style=\"color:#ae81ff\">40<\/span>,<span style=\"color:#a6e22e\">MinRate<\/span>=<span style=\"color:#ae81ff\">500<\/span> <span style=\"color:#a6e22e\">body<\/span>=<span style=\"color:#ae81ff\">20<\/span><span style=\"color:#f92672\">-<\/span><span style=\"color:#ae81ff\">40<\/span>,<span style=\"color:#a6e22e\">MinRate<\/span>=<span style=\"color:#ae81ff\">500<\/span>\n&lt;<span style=\"color:#f92672\">\/<\/span><span style=\"color:#a6e22e\">IfModule<\/span>&gt;<\/code><\/pre>\n<\/td>\n<\/tr>\n<\/table>\n<\/div>\n<\/div>\n<p>This configuration will wait up to 20 seconds for header data. As long as the client sends header data at a rate of 500 bytes per second, the server will wait for up to 40 seconds for the headers to complete.<\/p>\n<p>This configuration will also wait up to 20 seconds for body data. As long as the client sends header data at a rate of 500 bytes per second, the server will wait for up to 40 seconds for the body of the request to complete.<\/p>\n<p>For more information, read Apache\u2019s ModReqtimeout Documentation.<\/p>\n<h2 id=\"the-second-method\">The second method<\/h2>\n<div class=\"callout callout-info\">\n<div class=\"callout-heading\">Note:<\/div>\n<div class=\"callout-content\">\n<ul>\n<li>The <code>mod_qos.c<\/code> module is <strong>only<\/strong> available for systems that run EasyApache 3. We no longer support EasyApache 3 as of December 31, 2018. We <strong>strongly<\/strong> recommend that you upgrade to EasyApache 4.<\/li>\n<li>The <code>mod_qos.c<\/code> module is available for Apache version 2.0 and later, but we recommend that you use Apache version 2.2 or later.<\/li>\n<\/ul><\/div>\n<\/div>\n<p>The following example demonstrates how to configure the <code>mod_qos.c<\/code> module to mitigate Slowloris attacks:<\/p>\n<div class=\"highlight\">\n<div style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4\">\n<table style=\"border-spacing:0;padding:0;margin:0;border:0;width:auto;overflow:auto;display:block;\">\n<tr>\n<td style=\"vertical-align:top;padding:0;margin:0;border:0;\">\n<pre style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4\"><code class=\"language-go\" data-lang=\"go\"><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\">1\n<\/span><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\">2\n<\/span><\/code><\/pre>\n<\/td>\n<td style=\"vertical-align:top;padding:0;margin:0;border:0;;width:100%\">\n<pre style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4\"><code class=\"language-go\" data-lang=\"go\">&lt;<span style=\"color:#a6e22e\">IfModule<\/span> <span style=\"color:#a6e22e\">mod_qos<\/span>.<span style=\"color:#a6e22e\">c<\/span>&gt; <span style=\"color:#960050;background-color:#1e0010\">#<\/span> <span style=\"color:#a6e22e\">handles<\/span> <span style=\"color:#a6e22e\">connections<\/span> <span style=\"color:#a6e22e\">from<\/span> <span style=\"color:#a6e22e\">up<\/span> <span style=\"color:#a6e22e\">to<\/span> <span style=\"color:#ae81ff\">100000<\/span> <span style=\"color:#a6e22e\">different<\/span> <span style=\"color:#a6e22e\">IPs<\/span> <span style=\"color:#a6e22e\">QS_ClientEntries<\/span> <span style=\"color:#ae81ff\">100000<\/span> <span style=\"color:#960050;background-color:#1e0010\">#<\/span> <span style=\"color:#a6e22e\">will<\/span> <span style=\"color:#a6e22e\">allow<\/span> <span style=\"color:#a6e22e\">only<\/span> <span style=\"color:#ae81ff\">50<\/span> <span style=\"color:#a6e22e\">connections<\/span> <span style=\"color:#a6e22e\">per<\/span> <span style=\"color:#a6e22e\">IP<\/span> <span style=\"color:#a6e22e\">QS_SrvMaxConnPerIP<\/span> <span style=\"color:#ae81ff\">50<\/span> <span style=\"color:#960050;background-color:#1e0010\">#<\/span> <span style=\"color:#a6e22e\">maximum<\/span> <span style=\"color:#a6e22e\">number<\/span> <span style=\"color:#a6e22e\">of<\/span> <span style=\"color:#a6e22e\">active<\/span> <span style=\"color:#a6e22e\">TCP<\/span> <span style=\"color:#a6e22e\">connections<\/span> <span style=\"color:#a6e22e\">is<\/span> <span style=\"color:#a6e22e\">limited<\/span> <span style=\"color:#a6e22e\">to<\/span> <span style=\"color:#ae81ff\">256<\/span> <span style=\"color:#a6e22e\">MaxClients<\/span> <span style=\"color:#ae81ff\">256<\/span> <span style=\"color:#960050;background-color:#1e0010\">#<\/span> <span style=\"color:#a6e22e\">disables<\/span> <span style=\"color:#a6e22e\">keep<\/span><span style=\"color:#f92672\">-<\/span><span style=\"color:#a6e22e\">alive<\/span> <span style=\"color:#a6e22e\">when<\/span> <span style=\"color:#ae81ff\">70<\/span><span style=\"color:#f92672\">%<\/span> <span style=\"color:#a6e22e\">of<\/span> <span style=\"color:#a6e22e\">the<\/span> <span style=\"color:#a6e22e\">TCP<\/span> <span style=\"color:#a6e22e\">connections<\/span> <span style=\"color:#a6e22e\">are<\/span> <span style=\"color:#a6e22e\">occupied<\/span>: <span style=\"color:#a6e22e\">QS_SrvMaxConnClose<\/span> <span style=\"color:#ae81ff\">180<\/span> <span style=\"color:#960050;background-color:#1e0010\">#<\/span> <span style=\"color:#a6e22e\">minimum<\/span> <span style=\"color:#a6e22e\">request<\/span><span style=\"color:#f92672\">\/<\/span><span style=\"color:#a6e22e\">response<\/span> <span style=\"color:#a6e22e\">speed<\/span> (<span style=\"color:#a6e22e\">deny<\/span> <span style=\"color:#a6e22e\">slow<\/span> <span style=\"color:#a6e22e\">clients<\/span> <span style=\"color:#a6e22e\">blocking<\/span> <span style=\"color:#a6e22e\">the<\/span> <span style=\"color:#a6e22e\">server<\/span>, <span style=\"color:#a6e22e\">ie<\/span>. <span style=\"color:#a6e22e\">slowloris<\/span> <span style=\"color:#a6e22e\">keeping<\/span> <span style=\"color:#a6e22e\">connections<\/span> <span style=\"color:#a6e22e\">open<\/span> <span style=\"color:#a6e22e\">without<\/span> <span style=\"color:#a6e22e\">requesting<\/span> <span style=\"color:#a6e22e\">anything<\/span>): <span style=\"color:#a6e22e\">QS_SrvMinDataRate<\/span> <span style=\"color:#ae81ff\">150<\/span> <span style=\"color:#ae81ff\">1200<\/span> <span style=\"color:#960050;background-color:#1e0010\">#<\/span> <span style=\"color:#a6e22e\">and<\/span> <span style=\"color:#a6e22e\">limit<\/span> <span style=\"color:#a6e22e\">request<\/span> <span style=\"color:#a6e22e\">header<\/span> <span style=\"color:#a6e22e\">and<\/span> <span style=\"color:#a6e22e\">body<\/span> (<span style=\"color:#a6e22e\">careful<\/span>, <span style=\"color:#a6e22e\">that<\/span> <span style=\"color:#a6e22e\">limits<\/span> <span style=\"color:#a6e22e\">uploads<\/span> <span style=\"color:#a6e22e\">and<\/span> <span style=\"color:#a6e22e\">post<\/span> <span style=\"color:#a6e22e\">requests<\/span> <span style=\"color:#a6e22e\">too<\/span>): <span style=\"color:#960050;background-color:#1e0010\">#<\/span> <span style=\"color:#a6e22e\">LimitRequestFields<\/span> <span style=\"color:#ae81ff\">30<\/span> <span style=\"color:#960050;background-color:#1e0010\">#<\/span> <span style=\"color:#a6e22e\">QS_LimitRequestBody<\/span> <span style=\"color:#ae81ff\">102400<\/span>\n&lt;<span style=\"color:#f92672\">\/<\/span><span style=\"color:#a6e22e\">IfModule<\/span>&gt;<\/code><\/pre>\n<\/td>\n<\/tr>\n<\/table>\n<\/div>\n<\/div>\n<p>This example configuration will enforce the following behavior:<\/p>\n<ul>\n<li><code>MaxClients<\/code> \u2014 This setting limits the maximum number of connections to 256.<\/li>\n<li><code>QS_ClientEntries<\/code> \u2014 This setting tracks up to 100,000 connections.<\/li>\n<li><code>QS_SrvMaxConnPerIP<\/code> \u2014 This setting limits each IP address to a maximum number of 50 connections.<\/li>\n<li><code>QS_SrvMaxConnClose<\/code> \u2014 This setting disables the KeepAlive function when at least 180 connections exist.<\/li>\n<li><code>QS_SrvMinDataRate<\/code> \u2014 This setting requires a minimum of 150 bytes per second per connection, and limits the connection to 1200 bytes per second when the server reaches the <code>MaxClients<\/code> limit.<\/li>\n<\/ul><\/div>\n","protected":false},"excerpt":{"rendered":"<p>Overview The Slowloris attack attempts to open a large number of connections with a web server. Then, the attacker holds those connections open for as long as possible. A web server can only provide service to a finite number of clients. After the Slowloris attack consumes all of the available connections on a server, other &hellip;<\/p>\n","protected":false},"author":1,"featured_media":347,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/posts\/346"}],"collection":[{"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/comments?post=346"}],"version-history":[{"count":0,"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/posts\/346\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/media\/347"}],"wp:attachment":[{"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/media?parent=346"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/categories?post=346"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/tags?post=346"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}