Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: HTTP Post Denial Of Service: more dangerous than .... |
|
| Author |
|
Kanashii
Joined: 17 Jul 2006
Posts: 155
Location: Porando
|
|
| Back to top |
|
glsmith
Moderator
Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA
|
 Posted: Mon 22 Nov '10 21:12 Post subject: |
 |
|
No not tested, this is the first I am seeing of this. I haven't done my daily sec news surf yet.
| Quote: | | The trick is not to send all this data at once but to send it character by character over a long period of time (e.g. 1 character each 10-100 seconds). The web server will keep these connections open for a very long time, until it receives all the data. |
As I'm reading this (article, not the actual pdf), this is Slowloris moved from the headers to body of the request. The exact thing mod_reqtimeout was designed for. As a mater of fact, I have to give the modules author credit for "seeing into the future" on this one, way to go Stefan!
http://marc.info/?l=apache-httpd-dev&m=126735239106154&w=2
With mod_reqtimeout, 1 byte 10-100 seconds will not get past, not if you look at how to configure this module.
http://httpd.apache.org/docs/2.2/mod/mod_reqtimeout.html
Here is what I am currently running. I still do not think I've found the sweet spot yet, nor am I being lorised daily, but it has been working well for me, even with a rather slow connection coming from AU (friend of mine).
| Code: | <IfModule reqtimeout_module>
RequestReadTimeout header=5-25,MinRate=250
</IfModule> |
There is no way 1m bytes, at 1 byte every 1 second is going to get past this. It is going to time out at 25 seconds because by that 25th second, we will have recieved 25 byte, not the 250 needed to add an extra second. If the header pushes us past 250 bytes, we will still timeout after the 26th second on the body read. I think I could be DOSed, but I am still lowering these times, and raising the bar to get another second added to the total, to find a good time. I'll certainly start hearing complaints when I get it too low.
Obviously there could be a sweet spot for the attacker to find that will defeat this, but by that time, they are probably sending data fast enough to only partially DOS you.
Since there is no "default" for this module, there will be no target for the attacker to work from, they will have to fine tune it on a per server basis. I don't see that happening unless someone, with the tools and knowledge, really hates you!
And quite frankly, I do not even see the original Slowloris being used to DOS anyone. Have not heard of any at least. mod_antiloris I think took the fun out of the original attack vector.
<Disclaimer>
This is only the opinion of me 
</Disclaimer> |
|
| Back to top |
|
Kanashii
Joined: 17 Jul 2006
Posts: 155
Location: Porando
|
|
| Back to top |
|
|
|
|
|
|
