Hi, since there was some doubt that the mod_antiloris and mod_noloris modules use the correct approach against slowloris type attacks, I hacked up something different. mod_reqtimeout allows to set timeouts for the reading request and reading body phases. It is implemented as an input connection filter that sets the socket timeout so that the total request time does not exceed the timeout value. I have done only limited testing but it seems to work (with prefork). The source is here:
http://www.sfritsch.de/mod_reqtimeout/mod_reqtimeout.c Any comments are welcome. Some questions/thoughts: - Is this a reasonable approach or did I overlook something important? If the former, would you consider including something like it with httpd? - Would it work with mpm_event? Would it make sense to only insert it for ssl with mpm_event? If yes, how do I do that? - How do I prevent the filter from being inserted for other protocols (echo, ftp)? - Obviously the body read timeout is only useful for sites that do not allow file uploads. But an extension to a minimum body transfer rate would probably be possible. Also, it would be possible to make the body read timeout configurable by direcory, which may be useful if file uploads are only allowed by authorized users. - This does not defend against attacks like: HEAD request, wait, HEAD request, wait, ... But the keepalive timeout can be tuned for that. - If you test it under linux or *bsd, don't get confused by the accept filter. - Apache should respond with HTTP_REQUEST_TIME_OUT and not HTTP_BAD_REQUEST when there is a timeout reading the request. Cheers, Stefan
