2009/6/22 Guenter Knauf <fua...@apache.org>: > Hi Andreas, > Andreas Krennmair schrieb: >> For those who are still unaware of the Slowloris attack, it's a >> denial-of-service attack that consumes Apache's resources by opening up >> a great number of parallel connections and slowly sending partial >> requests, never completing them. Since Apache limits the number of >> parallel clients it serves (the MaxClients setting), this blocks further >> requests from being completed. Unlike other "traditional" TCP DoS >> attacks, this HTTP-based DoS attack requires only very little network >> traffic in order to be effective. Information about the Slowloris >> attack including a PoC tool was published here: >> http://ha.ckers.org/slowloris/ >> >> I thought for some time about the whole issue, and then I developed a >> proof-of-concept patch for Apache 2.2.11 (currently only touches the >> prefork MPM), which you can download here: >> http://synflood.at/tmp/anti-slowloris.diff > wouldnt limiting the number of simultanous connections from one IP > already help? F.e. something like: > http://gpl.net.ua/modipcount/downloads.html
Not if the attack is launched from a botnet, which is the more likely scenario for people who really want to hide their tracks. BTW, focus here seems to be on the reading of the request headers themselves. Can't trickling of actual request content data to a URL equally tie up handler threads. Either in the case where request handler is doing the reads of request content, or for the case of success status, by ap_discard_request_body() at the end of the request and where HTTP/1.1 and keep alive requested. The only difference really is that if done with request headers, nothing would be logged about it in access logs, so not easy to track. Graham