thank you, that's what i have configured BTW the following iptables-rule BEFORE the accept-rules will mitigate Slowloris at least if it is not combined with a DDoS iptables -A INPUT -p tcp -m multiport --destination-port 80,443 --syn -m connlimit --connlimit-above 70 -j DROP
Am 25.03.2013 09:18, schrieb Esmq: > AFAIK, base on the following settings, the connections related to slow attack > will at most last for 10 seconds, > > CONFIG proxy.config.net.defer_accept INT 1 > CONFIG proxy.config.http.accept_no_activity_timeout INT 1 > CONFIG proxy.config.http.transaction_no_activity_timeout_in INT 5 > > that will mitigate the affect of slowloris. > > At 2013-03-23 21:37:48,"Reindl Harald" <[email protected]> wrote: >>Hi >> >>we have after a external security-audit from a customer the >>problem that they detected the webserver which has a TS 3.2.4 >>in front of is vulerable for "DoS Slowloris" >> >>i am currently not sure if this was because they scanned with >>a new IP which was not on the iptables-rate-control-whitelist >>or the Trafficserver is really vulnerable >> >>maybe the problem is gone on the next scan at monday but if there >>is anything i can do please feedback to fix this until then >> >>https://community.qualys.com/blogs/securitylabs/2011/11/02/how-to-protect-against-slow-http-attacks >> >>AFAIK the most relevant parameters and why i think they >>should not be changed - feel free to correct me if i am >>wrong and in general if i missed tuneables >>_______________________________________________________ >> >>CONFIG proxy.config.http.transaction_active_timeout_out INT 0 >>* here i am completly unsure >> >>CONFIG proxy.config.http.background_fill_active_timeout INT 60 >>* here i am completly unsure >> >>CONFIG proxy.config.http.keep_alive_no_activity_timeout_in INT 1 >>* KeepAlive is nice, Trafficserver should be able to handle >> >>CONFIG proxy.config.http.transaction_no_activity_timeout_in INT 5 >>* i think the liit is still hard because if a dynamic page >> takes long than this value to be generated the client >> would be disconnected which is not unlikely to happen in case >> of CMS systems unpacking archives and generate thumbnails for >> a lot of images from the archive content >> >>CONFIG proxy.config.http.transaction_active_timeout_in INT 900 >>* if i set this to low it would break web-apps which are running >> over minutes and give the whle time feedback to the user like >> sending a newsletter >> >>CONFIG proxy.config.http.transaction_no_activity_timeout_out INT 60 >>* should be ok to the origin server >> >>CONFIG proxy.config.http.keep_alive_no_activity_timeout_out INT 0 >>* no timeout to the origin server should be OK >> >>CONFIG proxy.config.http.accept_no_activity_timeout INT 1 >>* still a hard limit
signature.asc
Description: OpenPGP digital signature
