Hi, How about coding a module looking how many bytes are read and if there is too little chunk of data, close the connection. Something like a MinDataReadSize. If the read() function read too little data, close() the socket... Dunno if it's possible to hook directly in connection hook to do this...
Matthieu William A. Rowe, Jr. wrote: > Andreas Krennmair wrote: >> * Guenter Knauf <fua...@apache.org> [2009-06-22 04:30]: >>> wouldnt limiting the number of simultanous connections from one IP >>> already help? F.e. something like: >>> http://gpl.net.ua/modipcount/downloads.html >> Not only would this be futile against the Slowloris attack (imagine n >> connections from n hosts instead of n connections from 1 host), it would >> also potentially lock out groups of people behind the same NAT gateway. > > FWIW mod_remoteip can be used to partially mitigate the weakness of this > class of solutions. > > However, it only works for known, trusted proxies, and can only be safely > used for those with public IP's. Where the same 10.0.0.5 on your private > NAT backed becomes the same 10.0.0.5 within the apache server's DMZ, the > issues like Allow from 10.0.0.0/8 become painfully obvious. I haven't > found a good solution, but mod_remoteip still needs one, eventually. >