Slowloris DoS Tool: It Can Bring Down Apache 1.x/2.x

by on June 19, 2009 · 9 comments· LAST UPDATED June 19, 2009

in , ,

Web server that use threaded processes such as Apache and others can be targeted using interesting HTTP DoS tool that has been released in wild. Tool can eat up all resources while it holds the connection open to server and keep sending incomplete HTTP requests. End result Apache run out of memory and comes under DoS attack.

According to this blog post -

This affects a number of webservers that use threaded processes and ironically attempt to limit that to prevent memory exhaustion - fixing one problem created another. This includes but is not necessarily limited to the following:

* Apache 1.x
* Apache 2.x
* dhttpd
* GoAhead WebServer
* Squid

There are a number of webservers that this doesn't affect as well, in my testing:

* IIS6.0
* IIS7.0
* lighttpd

Mitigating Apache DoS Attacks

I've not tested any of these solutions but PF syn proxy and FreeBSD's accf_http (which buffer incoming connections until a certain complete HTTP requests arrive) kernel module can be used to migrate the same. I'm sure both PF and Iptables can be used to stop mitigating this attack by limiting connections per IP. Also, Apache can be configured to timeout quickly. Another option is to put lighttpd in front of Apache and proxy out requests to real httpd server. I will update this post later on with my findings.

A little more available below:
=> Apache HTTP DoS tool released TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 9 comments… read them below or add one }

1 Julius Beckmann June 20, 2009 at 9:50 am

Instead of using Lighttpd as proxy there is another way to do this. Varnish is a http accelerator that can be used to prevent this type of attack and can improve performance.
http://varnish.projects.linpro.no/
But lighty is also a good way for a simple solution.

What about using Apache Worker instead of Prefork? Worker should not be affected by this attack and in combination with fastcgi also a powerful setup.

Reply

2 nixCraft June 20, 2009 at 1:58 pm

Varnish is really good project. I’ve used this one in past it worked like a charm. Each web server must configured with limited resources to get rid of problems like this. Default time out is 5 minutes and it must be set to something like 20-30. These ensure that TIME_WAIT ports either get reused or closed fast.

sysctl  net.ipv4.tcp_fin_timeout = 1
sysctl  net.ipv4.tcp_tw_recycle = 1

Reply

3 Cagri Ersen June 21, 2009 at 2:17 pm

accf_httpd mitigate the risk for me.
When i try the tool against an apache server ( with “very” default configuration) server is going down quickly. And then i loaded accf_httpd module and start it again. At this time server is still up after 50K~ packets sent.

Reply

4 ceres June 22, 2009 at 1:03 am

Here is what I did under FreeBSD to mitigate the risk. Updated httpd.conf:

KeepAliveTimeout 5
Timeout 30

Load kernel modules (add to /boot/loader.conf):

kldload accf_data
kldload accf_http

Updated pf settings (1.2.3.4 apache server ip):

table  <slowloris> persist
block in quick on $ext_if from <slowloris>   to 1.2.3.4
pass in on $ext_if proto tcp to 1.2.3.4 port www flags S/SA synproxy state (max-src-conn 60, max-src-conn-rate 20/5, overload <slowloris>  flush)

List / delete and add attacking ip manually:

pfctl -t slowloris -T show
pfctl -t slowloris -T delete 2.3.4.5
pfctl -t slowloris -T add 9.2.3.4

Reply

5 nixCraft June 22, 2009 at 1:07 am

@ceres,

I’ve edited your post with pre html tags.

Reply

6 Solaris June 23, 2009 at 8:31 pm

Serious protection comes with a high price. And I mean layered detection modules
like dedicated hardware IDS/firewall and fine-grained monitoring.

Even so, when a big DDoS flood comes (Gigabytes/second) there is not much you can do
to the hosting level, maybe change the routing tables at ISP core routers but I have seen
a rare 30 GB/sec DDoS that brought down an entire ISP for a while.. so we are talking
micro protections here.

Reply

7 nixCraft June 23, 2009 at 8:40 pm

@Solaris,

I agree with you; your average server cannot fight if a large DDoS launched against you. You need something like Cisco guard or TopLayer mitigation appliances. Another option is to use anti-DDoS proxy service. All these options costs good amount of money.

Reply

8 Tod DoD June 26, 2009 at 6:04 pm

For limiting incoming SYN packets under netfilter:
iptables -A INPUT -i eth0 -p tcp --syn -m limit --limit 5/second -j ACCEPT

Reply

9 ano June 30, 2009 at 10:39 pm

@Vivek, @Solaris

Vivek wrote:
>Even so, when a big DDoS flood comes (Gigabytes/second) there is not much you can do

You missed the point. This particular attack is about taking down apache with a tiny DDos flood. Low bandwidth-, cpu and memory footprint. A 486 on the cheapest dsl link brings down apache.

Against this kind of attacks there is much you can do… but apache doesn’t…

Reply

Leave a Comment

Tagged as: , , , , , , , , , , , , , , , ,

Previous post:

Next post: