https://issues.apache.org/bugzilla/show_bug.cgi?id=56751
Bug ID: 56751
Summary: Fails to properly mitigate Slow Post DoS attack
Product: Apache httpd-2
Version: 2.5-HEAD
Hardware: PC
OS: Linux
Status: NEW
Severity: major
Priority: P2
Component: mod_reqtimeout
Assignee: [email protected]
Reporter: [email protected]
DETAILS:
The recommended/default mod_reqtimeout configuration allows a remote attacker
to consume all Apache connections while sending part of the post body in time
intervals (AKA SlowPost attack) with a byte-rate greater than the configured
MinRate (500 by default).
Example: Sending 10Kb of the body each 5 seconds will bypass recommended
configuration.
References to recommended conf:
1. http://publib.boulder.ibm.com/httpserv/manual60/mod/mod_reqtimeout.html
2. http://docs.cpanel.net/twiki/bin/view/EasyApache/Apache/SlowlorisAttacks
3.
http://blog.spiderlabs.com/2011/07/advanced-topic-of-the-week-mitigating-slow-http-dos-attacks.html#Mitigating
Slow Request Attacks with Mod_Reqtimeout and ModSecurity
IMPACT:
Vulnerable are most of the Apache users who rely on the mod_reqtimeout module
to mitigate the SlowPost DoS attack.
SOLUTION:
Add to the default configuration an upper bound (maxtimeout) for the "body"
parameter.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
