Hey,

How do you guys protect against slowloris (Apache 2.2).
There is an Apache module mod_antiloris. Is it stable and OK for production use? What about any drawbacks of using it?
They say it is good idea to use mod_antiloris together with iptables' connlimit.
But there are a lot of ISPs (and other companies) which give many users the same IP address.
Let's say I need to make my site visible to everyone (which doesn't try to DoS me of course ;) ) regardless if they share the same IP with thousand of other users or not...
What is the best protection?
AFAIK mod_security can protect against slowloris attack but i couldn't be able to find rules for it to do so.

Thx,
Mike

I would make a bash file that checks iptables and put that on a cron every 1-2 minutes or so. I didn't know there was an Apache mod for it, sounds cool, but it's loaded into memory which can result in various other problems too, one of them is running low on memory, which can lead to other unseen problems e.g. running out of worker threads because Apache increases memory on each thread, exactly the thing you want to protect against in case of DoS. Sometimes mods are a solution, but not for everything.

Use netfilter to limit connections / per timeframe for a single IP address. Increasing the simultaneous connections wont help much. Besides, it consumes more server processor specially if the legit user count is high.