Dear Wiki user, You have subscribed to a wiki page or wiki category on "Httpd Wiki" for change notification.
The "DoS" page has been changed by GuillermoGrandes. The comment on this change is: Update CPU drain. http://wiki.apache.org/httpd/DoS?action=diff&rev1=8&rev2=9 -------------------------------------------------- The slowloris author notes that the script was ineffective running on Windows, because it only made about 130 concurrent outgoing connections. I observed similar limitations on *X platforms: on Opensolaris it was 252, and on Linux it was 1020. I suspect those could be varied by tuning the host's kernel parameters and/or the Perl build, but I haven't investigated that. - The slowloris script is also a big CPU drain on its own host. Running it on my opensolaris box, it took around 50% of the CPU (as shown by top(1)) to hold 252 connections open and trickle data. On linux it was over 99% to hold 1020 connections. Running both slowloris and apache on the linux box, apache responded effortlessly to /server-status requests while servicing the slowloris attack, all while sharing the <1% of CPU left by slowloris with top and the Gnome desktop. + --(The slowloris script is also a big CPU drain on its own host. Running it on my opensolaris box, it took around 50% of the CPU (as shown by top(1)) to hold 252 connections open and trickle data. On linux it was over 99% to hold 1020 connections. Running both slowloris and apache on the linux box, apache responded effortlessly to /server-status requests while servicing the slowloris attack, all while sharing the <1% of CPU left by slowloris with top and the Gnome desktop.)-- + + ['''Update: 29.Apr.2011'''] slowloris-perl can be patched (1 line) to reduce CPU drain... (only use 2%, 500 connections in linux-box/threaded, this crash typical server in 15 seconds) MaxClients - Based in this observation, a sufficient (albeit clumsy) defence against a single attacker is to raise maxclients. - This is probably a good idea in any case: the defaults shipped by apache and at least some packagers go back to a time when an average server might have 32Mb RAM! However, it may create a conflict with applications running on the webserver that cannot reasonably support large numbers of concurrent clients. + --(Based in this observation, a sufficient (albeit clumsy) defence against a single attacker is to raise maxclients. This is probably a good idea in any case: the defaults shipped by apache and at least some packagers go back to a time when an average server might have 32Mb RAM!)-- 170 clientes drain almost 1Gb-RAM. However, it may create a conflict with applications running on the webserver that cannot reasonably support large numbers of concurrent clients. Raising MaxClients @@ -27, +28 @@ Timeout + In [[http://mail-archives.apache.org/mod_mbox/httpd-users/200711.mbox/<[email protected]>|http://mail-archives.apache.org/mod_mbox/httpd-users/200711.mbox/%[email protected]%3E]] , Sander Temme wrote: ''If you're being DOS attacked by trickle requests, you could try setting a very low timeout (default is 5 minutes which doesn't seem to be working for you) and perhaps use mod_evasive or somesuch to flag and firewall the bad clients.'' TBD: put some numbers to "low timeout". - In http://mail-archives.apache.org/mod_mbox/httpd-users/200711.mbox/%[email protected]%3E , Sander Temme wrote: - ''If you're being DOS attacked by trickle requests, you could try - setting a very low timeout (default is 5 minutes which doesn't seem - to be working for you) and perhaps use mod_evasive or somesuch to - flag and firewall the bad clients.'' - TBD: put some numbers to "low timeout". - Resource limits --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
