I'm being attacked by a slow-loris attack


Enter Your Query:
Use '%' for wildcards and quotes for "exact phrases"


Top Level » Apache Related Information

I'm being attacked by a slow-loris attackLast Modified: Oct 6, 2012, 10:49 pm
Update: newer installs will have mod_reqtimeout, which is considered better than mod_antiloris.
To check, type:

/usr/sbin/httpd -l | grep mod_reqtimeout

and make sure you see mod_reqtimeout.c in the output.
Also check /etc/httpd/conf/extra/httpd-default.conf for:

<IfModule reqtimeout_module>
 RequestReadTimeout header=20-40,MinRate=500 body=20,MinRate=500
</IfModule>

or something similar.





A slow loris attack is one where an IP will connect to your apache server and clog up all child processes with it's specially formed requests (I won't get into the details as to how).

The solution is to install mod_antiloris to only allow a certain number of simulatenous connections per IP at a time (I believe they set it to 5 by default)

The registered apache mod_antiloris module is listed here:
http://modules.apache.org/search.php?id=1783

Quick install instructions:

cd /root
wget http://files.directadmin.com/services/all/mod_antiloris/installoris
chmod 755 installoris
./installoris


Note that this module is for apache 2.x, and not 1.3.
 
Related Helpfiles
I want to limit the number of connections per IP, or throttle the bandwidth for all clients

2003 JBMC Software, Suite 173  3-11 Bellerose Drive, St Albert, AB  T8N 1P7  Canada.  Mon-Fri 9AM-5PM MST