Guenter Knauf wrote:

Hi Andreas,
Andreas Krennmair schrieb:

For those who are still unaware of the Slowloris attack, it's a
denial-of-service attack that consumes Apache's resources by opening up
a great number of parallel connections and slowly sending partial
attack including a PoC tool was published here:

I thought for some time about the whole issue, and then I developed a
proof-of-concept patch for Apache 2.2.11 (currently only touches the
prefork MPM), which you can download here:

wouldnt limiting the number of simultanous connections from one IP
already help? F.e. something like:

Keep in mind that, if this attack turns into a real issue, it is likely to be through a vector like botnets. It is pretty common* to see lots of bits behind a single (corporate) NAT gateway.

You would not nessesarily want to penalize an entire interanet for their lack of security that way. That is not our job :).

Also - these things are only a problem when the server is resource tight - and even then - it could be modified to just invest little at that point -- either by having a different accept mechanism -or- by detecting sluggishness and then hading the connection back to something more async/single-threaded which deals with all slow connections - freeing up the 'full' worker for real work.


*: e.g. see the conflicker stats.

Reply via email to