Protecting Apache From Slowloris

D

debian_guy

Guest
Slowloris is sometimes can be very vital attack that has capability of fill your connection limit of apache which is generally less than 250.Its like as the connection based equivalent of a SYN flood. Opening socket and cut the connection by client that you need to wait for it.

A best way to defend the server with timeout settings, which is fine to defend a single attacker but leads into new issues. mod_qos gives some fine-grained opportunities to scale the number of used connections and to defend an attack according to bandwidth limits. Here is the way that helps protecting from slowloris on my apache server on debian based systems.

First install mod_qos package for apache2
apt-get install libapache2-mod-qos


mod_qos config file:
/etc/apache2/mods-available/qos.conf
Code:
<IfModule qos_module>

[B]  # minimum request rate (bytes/sec at request reading):
  #QS_SrvRequestRate                                120

  # limits the connections for this virtual host:
  #QS_SrvMaxConn                                    100

  # allows keep-alive support till the server reaches 600 connections:
  #QS_SrvMaxConnClose                                600

  # allows max 50 connections from a single ip address:
  QS_SrvMaxConnPerIP                                50
</IfModule>

Enable mod_qos module
a2enmod mod qos

Restart apache2
service apache2 restart

Test if the attack continues afterward by connections status and tweak your qos config until it fits for you
apachectl status
 
Last edited:



Members online


Top