Guenter Knauf wrote:
Hi Andreas, Andreas Krennmair schrieb:
For those who are still unaware of the Slowloris attack, it's a denial-of-service attack that consumes Apache's resources by opening up a great number of parallel connections and slowly sending partial
....
attack including a PoC tool was published here: http://ha.ckers.org/slowloris/ I thought for some time about the whole issue, and then I developed a proof-of-concept patch for Apache 2.2.11 (currently only touches the prefork MPM), which you can download here: http://synflood.at/tmp/anti-slowloris.diff
wouldnt limiting the number of simultanous connections from one IP already help? F.e. something like: http://gpl.net.ua/modipcount/downloads.html
Keep in mind that, if this attack turns into a real issue, it is likely to be through a vector like botnets. It is pretty common* to see lots of bits behind a single (corporate) NAT gateway.
You would not nessesarily want to penalize an entire interanet for their lack of security that way. That is not our job :).
Also - these things are only a problem when the server is resource tight - and even then - it could be modified to just invest little at that point -- either by having a different accept mechanism -or- by detecting sluggishness and then hading the connection back to something more async/single-threaded which deals with all slow connections - freeing up the 'full' worker for real work.
Dw *: e.g. see the conflicker stats.