Posts Tagged ‘slowloris’

Quick way to install mod_qos on Debian Lenny to protect from Slowloris

Thursday, February 18th, 2010

I’m gonna do a fast walk through on installing and enabling mod_qos on Debian, original article is available in Bulgarian on mpetrov’s blog .
So let’s go…
1. Install required development files and tools to be able to proper compile:

debian-server# apt-get install apache2-threaded-dev gcc

2. Download the mod_qos latest archive from sourceforge

debian-server# cd /usr/local/srcdebian-server# wget http://freefr.dl.sourceforge.net/project/mod-qos/mod-qos/9.7/mod_qos-9.8.tar.gz

3. Unarchive (Untar) the mod_qos archive and compile the module

debian-server# tar zxvf mod_qos-9.8.tar.gz
debian-server# cd mod_qos-9.8/apache2/
debian-server# apxs2 -i -c mod_qos.c

You can see from the compile output module is installed to; usr/lib/apache2/modules

4. Now let us create mod_qos configuration files

debian-server# cd /etc/apache2/mods-available/
debian-server# echo "LoadModule qos_module /usr/lib/apache2/modules/mod_qos.so" > qos.load

debian-server# vim /etc/apache2/mods-available/qos.conf

## QoS module Settings
<IfModule mod_qos.c>
# handles connections from up to 100000 different IPs
QS_ClientEntries 100000
# will allow only 50 connections per IP
QS_SrvMaxConnPerIP 50
# maximum number of active TCP connections is limited to 256
MaxClients 256
# disables keep-alive when 70% of the TCP connections are occupied:
QS_SrvMaxConnClose 180
# minimum request/response speed (deny slow clients blocking the server,
# ie. slowloris keeping connections open without requesting anything):
QS_SrvMinDataRate 150 1200
# and limit request header and body (carefull, that limits uploads and post requests too):
# LimitRequestFields 30
# QS_LimitRequestBody 102400
</IfModule>

5. All left is to load the mod_qos module into Apache and restart the webserver

debian-server# a2enmod qos
debian-server# /etc/init.d/apache2 restart

Congratulations, Now slowloris and many other Apache DoS techniques won’t bother you anymore!

How to defend against slowloris Webserver Denial of Service Attack

Tuesday, February 2nd, 2010

Like you can read in my previous post, there is a terrible DoS attack dating back,
from the previous year. It’s a real shit and it was really annoying for me to figure out
that my Apache running on top of FreeBSD is vulnerable as well.
Therefore I needed desperately a fix, I was not really keen at the idea of installing
mod_qos, because I really hate third party software to mess up my Apache official module list.
Therefore I needed another approach, after some walk through google I found the following
How to best defend against a “slowloris” attack against Apache web server There are a couple of pathways
to follow as you can read in the post above. However the one that fit me best was through:
Varnish state-of-the-art high-performance HTTP accelerator (proxy) , it’s truely a wonderful piece of soft.
Installing it on FreeBSD was a piece of cake:
All I had to do was:

# cd /usr/ports/www/varnish# make install clean# echo 'varnishd_enable="YES"' >> /etc/rc.conf And last but not least, I had to alter my /usr/local/etc/apache2/httpd.conf
and change everywhere the Listen port to 8080 instead of the default 80, the same
procedure goes for VirtualHosts ports as well.

Last thing to do was:
Restart Apache# /usr/local/etc/rc.d/apache2 restartStart varnishd# /usr/local/etc/rc.d/varnishd start That’s it now varnishd handles the incoming connections to my Port 80, and passes whatever thinks appropriateto the apache server. Hip, Hip Hooray no more slowloris worries!
Another possible approach to Apache Denial of Service issues is to limit the maximum
allowed connections per host to be no more than 20.

On GNU/Linux this could be done with the following iptables rule:
# iptables -I INPUT -p tcp --dport 80 -m connlimit --connlimit-above 20 --connlimit-mask 40 -j DROP
On FreeBSD or OpenBSD with packet filter, you might bother to take a look at the following:
Howto: Basic Denial of Service Protection Using PF

But wait there is even more options to handle the slowloris DoS attack. It looks some enthusiast
has created even Apache module that handles the loris attack, sources of the non-official
mod_antiloris module release as well asprecompiled binaries in rpm can be obtained here.