How to best defend against a "slowloris" DOS attack against an Apache web server?
Recently a script called "slowloris" has gained attention. The basic concept of what slowloris does is not a new attack but given the recent attention I have seen a small increase in attacks against some of our Apache websites.
At the moment there does not appear to be any 100% defence against this.
The best solution we have determined (so far) is to increase MaxClients.
This of course does nothing more than increase the requirements for the attacker's computer and does not actually protect the server 100%.
One other report indicates that using a reverse proxy (such as Perlbal) in front of the Apache server can help prevent the attack.
Using mod_evasive to limit the number of connections from one host and use mod_security to deny requests that look like they were issued by slowloris seem to be the best defence so far.
Has anyone on ServerFault been experiencing attacks such as this? If so, what measures did you implement to defend/prevent it?
NOTE: This question is for Apache servers as it is my understanding that Windows IIS servers are not affected.
Solution 1:
I experienced such attack ... in the middle of midsummer (23th of June), where you are supposed to be in the countryside and drink beer :>
I put my Apache behind Varnish, which not only protected from slowloris, but also accelerated web requests quite a bit.
Also, iptables
helped me:
iptables -I INPUT -p tcp --dport 80 \
-m connlimit --connlimit-above 20 --connlimit-mask 40 -j DROP
This rule limits one host to 20 connections to port 80, which should not affect non-malicious user, but would render slowloris unusable from one host.
Solution 2:
mod_antiloris, simple as that.
Solution 3:
If all your apache modules are thread safe, slowloris can be defeated simply by switching to event or worker MPMs. ref: here