William A. Rowe, Jr. at 2009-6-23 2:00 wrote:
Andreas Krennmair wrote:
* Guenter Knauf <fua...@apache.org> [2009-06-22 04:30]:
wouldnt limiting the number of simultanous connections from one IP
already help? F.e. something like:
http://gpl.net.ua/modipcount/downloads.html
Not only would this be futile against the Slowloris attack (imagine n
connections from n hosts instead of n connections from 1 host), it would
also potentially lock out groups of people behind the same NAT gateway.
FWIW mod_remoteip can be used to partially mitigate the weakness of this
class of solutions.
However, it only works for known, trusted proxies, and can only be safely
used for those with public IP's. Where the same 10.0.0.5 on your private
NAT backed becomes the same 10.0.0.5 within the apache server's DMZ, the
issues like Allow from 10.0.0.0/8 become painfully obvious. I haven't
found a good solution, but mod_remoteip still needs one, eventually.
I have an idea to mitigate the problem: put the Nginx as a reverse proxy
server in the front of apache.
--
Weibin Yao
