William A. Rowe, Jr. at 2009-6-23 2:00 wrote:
Andreas Krennmair wrote:
* Guenter Knauf <fua...@apache.org> [2009-06-22 04:30]:
wouldnt limiting the number of simultanous connections from one IP
already help? F.e. something like:
Not only would this be futile against the Slowloris attack (imagine n
connections from n hosts instead of n connections from 1 host), it would
also potentially lock out groups of people behind the same NAT gateway.

FWIW mod_remoteip can be used to partially mitigate the weakness of this
class of solutions.

However, it only works for known, trusted proxies, and can only be safely
used for those with public IP's.  Where the same on your private
NAT backed becomes the same within the apache server's DMZ, the
issues like Allow from become painfully obvious.  I haven't
found a good solution, but mod_remoteip still needs one, eventually.

I have an idea to mitigate the problem: put the Nginx as a reverse proxy server in the front of apache.

Weibin Yao

Reply via email to