logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: Slowloris HTTP DoS
Author
Kanashii



Joined: 17 Jul 2006
Posts: 155
Location: Porando
PostPosted: Sat 20 Jun '09 17:07    Post subject: Slowloris HTTP DoS Reply with quote
http://forum.configserver.com/showthread.php?p=8432

The are HTTP DoS 0 day for Apache i use

mod_limitipconn.c - Apache 2.x port

and its work OK

Quote:


There has been a public release of a Apache DoS tool.
You can read about it on the following URL\\\'s

http://isc.sans.org/diary.html?storyid=6601

http://ha.ckers.org/slowloris/

All versions of Apache are vulnerable.
There are a couple of solutions, one of them is limitipconn
http://dominia.org/djao/limitipconn2.html
However we have found it does not work as it should on all distributions.

We have put together a quick shell script that should give you protection in case your server is being attacked.

It currently is a crude version, if you see it does not work on your server please contact our support and we will try and get it working for you.

If you suspect your server is being attacked you can download the following to your linux webserver. This script does not work on BSD or windows.

http://www.leaseweb.com/antiloris.sh

Place the file in some directory and make it executable.

# wget -O /usr/local/sbin/antilotis.sh http://www.leaseweb.com/antiloris.sh
# chmod 755 /usr/local/sbin/antilotis.sh
# echo \"* * * * * /usr/local/sbin/antilotis.sh\" >> /etc/crontab

Then edit the file.
In the beginning of the file there are a couple of variables:
LIMIT=50
EMAILADDRESS=your-email@example.com
SENDEMAIL=1
RESTARTAPACHE=1

LIMIT is used for the amount of sessions the attacker has to open before his IP address will be blocked.
EMAILADDRESS is the email address you want to receive email alerts on
SENDMAIL can be 1 or 0. Set to 0 to no longer receive email.
RESTARTAPACHE This variable can restart apache after the IP address has been blocked. Some customers may not want to restart their apache after eac attack, but wait for regular apache time-outs.
Back to top


Reply to topic   Topic: Slowloris HTTP DoS View previous topic :: View next topic
Post new topic   Forum Index -> Apache