Stefan Fritsch wrote:
Hi,
since there was some doubt that the mod_antiloris and mod_noloris
modules use the correct approach against slowloris type attacks, I
hacked up something different. mod_reqtimeout allows to set timeouts
for the reading request and reading body phases. It is implemented as
an input connection filter that sets the socket timeout so that the
total request time does not exceed the timeout value. I have done only
limited testing but it seems to work (with prefork). The source is
here:
http://www.sfritsch.de/mod_reqtimeout/mod_reqtimeout.c
On a quick glance: interesting approach, thanks for posting.
How does it relate to the Timeout directive?
One comment: you're returning APR_EGENERAL if there's no config.
I'd strongly suggest you always do-nothing if not configured.
Or if not-configured is a can't-happen event, catch it with
an ap_assert.
- Is this a reasonable approach or did I overlook something important?
If the former, would you consider including something like it with
httpd?
Would need think-time to answer that (and it's way too noisy to think
here).
- How do I prevent the filter from being inserted for other protocols
(echo, ftp)?
Make it check the port, and do-nothing if it's not configured to act
on that port.
- Obviously the body read timeout is only useful for sites that do not
allow file uploads. But an extension to a minimum body transfer rate
would probably be possible. Also, it would be possible to make the
body read timeout configurable by direcory, which may be useful if
file uploads are only allowed by authorized users.
The body part probably overlaps with what existing modules like
mod_evasive and the bandwidth-management modules do. Have you
looked at them?
- This does not defend against attacks like: HEAD request, wait, HEAD
request, wait, ... But the keepalive timeout can be tuned for that.
- If you test it under linux or *bsd, don't get confused by the accept
filter.
- Apache should respond with HTTP_REQUEST_TIME_OUT and not
HTTP_BAD_REQUEST when there is a timeout reading the request.
In the slowloris case, it needs to time out before there's any such
thing as an HTTP request, so it won't be sending an HTTP response.
But I guess you're talking about the body timeout?
--
Nick Kew
