Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
How do we crash systems, browsers, or otherwise bring things to a halt, and how do we protect those things? 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
protecting against slowloris
Posted by: cx
Date: June 15, 2010 02:37AM

Hey,

How do you guys protect against slowloris (Apache 2.2).
There is an Apache module mod_antiloris. Is it stable and OK for production use? What about any drawbacks of using it?
They say it is good idea to use mod_antiloris together with iptables' connlimit.
But there are a lot of ISPs (and other companies) which give many users the same IP address.
Let's say I need to make my site visible to everyone (which doesn't try to DoS me of course ;) ) regardless if they share the same IP with thousand of other users or not...
What is the best protection?
AFAIK mod_security can protect against slowloris attack but i couldn't be able to find rules for it to do so.

Thx,
Mike

Options: ReplyQuote
Re: protecting against slowloris
Posted by: Skyphire
Date: June 18, 2010 05:59AM

I would make a bash file that checks iptables and put that on a cron every 1-2 minutes or so. I didn't know there was an Apache mod for it, sounds cool, but it's loaded into memory which can result in various other problems too, one of them is running low on memory, which can lead to other unseen problems e.g. running out of worker threads because Apache increases memory on each thread, exactly the thing you want to protect against in case of DoS. Sometimes mods are a solution, but not for everything.

Options: ReplyQuote
Re: protecting against slowloris
Posted by: lucifercipher
Date: December 24, 2011 10:33AM

Use netfilter to limit connections / per timeframe for a single IP address. Increasing the simultaneous connections wont help much. Besides, it consumes more server processor specially if the legit user count is high.

Options: ReplyQuote


Sorry, only registered users may post in this forum.