Comments on: Slowloris DoS Tool: It Can Bring Down Apache 1.x/2.x

By: ano

ano — Tue, 30 Jun 2009 22:39:16 +0000

@Vivek, @Solaris

Vivek wrote:
>Even so, when a big DDoS flood comes (Gigabytes/second) there is not much you can do

You missed the point. This particular attack is about taking down apache with a tiny DDos flood. Low bandwidth-, cpu and memory footprint. A 486 on the cheapest dsl link brings down apache.

Against this kind of attacks there is much you can do… but apache doesn’t…

By: Tod DoD

Tod DoD — Fri, 26 Jun 2009 18:04:43 +0000

For limiting incoming SYN packets under netfilter:
iptables -A INPUT -i eth0 -p tcp --syn -m limit --limit 5/second -j ACCEPT

By: Vivek Gite

Vivek Gite — Tue, 23 Jun 2009 20:40:00 +0000

@Solaris,

I agree with you; your average server cannot fight if a large DDoS launched against you. You need something like Cisco guard or TopLayer mitigation appliances. Another option is to use anti-DDoS proxy service. All these options costs good amount of money.

By: Solaris

Solaris — Tue, 23 Jun 2009 20:31:17 +0000

Serious protection comes with a high price. And I mean layered detection modules
like dedicated hardware IDS/firewall and fine-grained monitoring.

Even so, when a big DDoS flood comes (Gigabytes/second) there is not much you can do
to the hosting level, maybe change the routing tables at ISP core routers but I have seen
a rare 30 GB/sec DDoS that brought down an entire ISP for a while.. so we are talking
micro protections here.

By: Vivek Gite

Vivek Gite — Mon, 22 Jun 2009 01:07:51 +0000

@ceres,

I’ve edited your post with pre html tags.

By: ceres

ceres — Mon, 22 Jun 2009 01:03:12 +0000

Here is what I did under FreeBSD to mitigate the risk. Updated httpd.conf:

KeepAliveTimeout 5
Timeout 30

Load kernel modules (add to /boot/loader.conf):

kldload accf_data
kldload accf_http

Updated pf settings (1.2.3.4 apache server ip):

table   persist
block in quick on $ext_if from    to 1.2.3.4
pass in on $ext_if proto tcp to 1.2.3.4 port www flags S/SA synproxy state (max-src-conn 60, max-src-conn-rate 20/5, overload   flush)

List / delete and add attacking ip manually:

pfctl -t slowloris -T show
pfctl -t slowloris -T delete 2.3.4.5
pfctl -t slowloris -T add 9.2.3.4

By: Cagri Ersen

Cagri Ersen — Sun, 21 Jun 2009 14:17:11 +0000

accf_httpd mitigate the risk for me.
When i try the tool against an apache server ( with “very” default configuration) server is going down quickly. And then i loaded accf_httpd module and start it again. At this time server is still up after 50K~ packets sent.

By: Vivek Gite

Vivek Gite — Sat, 20 Jun 2009 13:58:29 +0000

Varnish is really good project. I’ve used this one in past it worked like a charm. Each web server must configured with limited resources to get rid of problems like this. Default time out is 5 minutes and it must be set to something like 20-30. These ensure that TIME_WAIT ports either get reused or closed fast.

sysctl  net.ipv4.tcp_fin_timeout = 1
sysctl  net.ipv4.tcp_tw_recycle = 1

By: Julius Beckmann

Julius Beckmann — Sat, 20 Jun 2009 09:50:06 +0000

Instead of using Lighttpd as proxy there is another way to do this. Varnish is a http accelerator that can be used to prevent this type of attack and can improve performance.
http://varnish.projects.linpro.no/
But lighty is also a good way for a simple solution.

What about using Apache Worker instead of Prefork? Worker should not be affected by this attack and in combination with fastcgi also a powerful setup.