Slowloris DoS Tool: It Can Bring Down Apache 1.x/2.x

last updated in Categories Apache, Networking, News, PF Firewall, RedHat/Fedora Linux, Security Alert, UNIX, Windows server

Web server that use threaded processes such as Apache and others can be targeted using interesting HTTP DoS tool that has been released in wild. Tool can eat up all resources while it holds the connection open to server and keep sending incomplete HTTP requests. End result Apache run out of memory and comes under DoS attack.

According to this blog post

This affects a number of webservers that use threaded processes and ironically attempt to limit that to prevent memory exhaustion – fixing one problem created another. This includes but is not necessarily limited to the following:

* Apache 1.x
* Apache 2.x
* dhttpd
* GoAhead WebServer
* Squid

There are a number of webservers that this doesn’t affect as well, in my testing:

* IIS6.0
* IIS7.0
* lighttpd

Mitigating Apache DoS Attacks

I’ve not tested any of these solutions but PF syn proxy and FreeBSD’s accf_http (which buffer incoming connections until a certain complete HTTP requests arrive) kernel module can be used to migrate the same. I’m sure both PF and Iptables can be used to stop mitigating this attack by limiting connections per IP. Also, Apache can be configured to timeout quickly. Another option is to put lighttpd in front of Apache and proxy out requests to real httpd server. I will update this post later on with my findings.

A little more available below:
=> Apache HTTP DoS tool released

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.

9 comment

  1. Instead of using Lighttpd as proxy there is another way to do this. Varnish is a http accelerator that can be used to prevent this type of attack and can improve performance.
    But lighty is also a good way for a simple solution.

    What about using Apache Worker instead of Prefork? Worker should not be affected by this attack and in combination with fastcgi also a powerful setup.

  2. Varnish is really good project. I’ve used this one in past it worked like a charm. Each web server must configured with limited resources to get rid of problems like this. Default time out is 5 minutes and it must be set to something like 20-30. These ensure that TIME_WAIT ports either get reused or closed fast.

    sysctl  net.ipv4.tcp_fin_timeout = 1
    sysctl  net.ipv4.tcp_tw_recycle = 1
  3. accf_httpd mitigate the risk for me.
    When i try the tool against an apache server ( with “very” default configuration) server is going down quickly. And then i loaded accf_httpd module and start it again. At this time server is still up after 50K~ packets sent.

  4. Here is what I did under FreeBSD to mitigate the risk. Updated httpd.conf:

    KeepAliveTimeout 5
    Timeout 30

    Load kernel modules (add to /boot/loader.conf):

    kldload accf_data
    kldload accf_http

    Updated pf settings ( apache server ip):

    table  <slowloris> persist
    block in quick on $ext_if from <slowloris>   to
    pass in on $ext_if proto tcp to port www flags S/SA synproxy state (max-src-conn 60, max-src-conn-rate 20/5, overload <slowloris>  flush)

    List / delete and add attacking ip manually:

    pfctl -t slowloris -T show
    pfctl -t slowloris -T delete
    pfctl -t slowloris -T add
  5. Serious protection comes with a high price. And I mean layered detection modules
    like dedicated hardware IDS/firewall and fine-grained monitoring.

    Even so, when a big DDoS flood comes (Gigabytes/second) there is not much you can do
    to the hosting level, maybe change the routing tables at ISP core routers but I have seen
    a rare 30 GB/sec DDoS that brought down an entire ISP for a while.. so we are talking
    micro protections here.

  6. @Solaris,

    I agree with you; your average server cannot fight if a large DDoS launched against you. You need something like Cisco guard or TopLayer mitigation appliances. Another option is to use anti-DDoS proxy service. All these options costs good amount of money.

  7. For limiting incoming SYN packets under netfilter:
    iptables -A INPUT -i eth0 -p tcp --syn -m limit --limit 5/second -j ACCEPT

  8. @Vivek, @Solaris

    Vivek wrote:
    >Even so, when a big DDoS flood comes (Gigabytes/second) there is not much you can do

    You missed the point. This particular attack is about taking down apache with a tiny DDos flood. Low bandwidth-, cpu and memory footprint. A 486 on the cheapest dsl link brings down apache.

    Against this kind of attacks there is much you can do… but apache doesn’t…

    Have a question? Post it on our forum!