Slowloris DoS Tool: It Can Bring Down Apache 1.x/2.x

Web server that use threaded processes such as Apache and others can be targeted using interesting HTTP DoS tool that has been released in wild. Tool can eat up all resources while it holds the connection open to server and keep sending incomplete HTTP requests. End result Apache run out of memory and comes under DoS attack.

According to this blog post


This affects a number of webservers that use threaded processes and ironically attempt to limit that to prevent memory exhaustion – fixing one problem created another. This includes but is not necessarily limited to the following:

* Apache 1.x
* Apache 2.x
* dhttpd
* GoAhead WebServer
* Squid

There are a number of webservers that this doesn’t affect as well, in my testing:

* IIS6.0
* IIS7.0
* lighttpd

Mitigating Apache DoS Attacks

I’ve not tested any of these solutions but PF syn proxy and FreeBSD’s accf_http (which buffer incoming connections until a certain complete HTTP requests arrive) kernel module can be used to migrate the same. I’m sure both PF and Iptables can be used to stop mitigating this attack by limiting connections per IP. Also, Apache can be configured to timeout quickly. Another option is to put lighttpd in front of Apache and proxy out requests to real httpd server. I will update this post later on with my findings.

A little more available below:
=> Apache HTTP DoS tool released

🥺 Was this helpful? Please add a comment to show your appreciation or feedback.

nixCrat Tux Pixel Penguin
Hi! 🤠
I'm Vivek Gite, and I write about Linux, macOS, Unix, IT, programming, infosec, and open source. Subscribe to my RSS feed or email newsletter for updates.

9 comments… add one
  • Julius Beckmann Jun 20, 2009 @ 9:50

    Instead of using Lighttpd as proxy there is another way to do this. Varnish is a http accelerator that can be used to prevent this type of attack and can improve performance.
    But lighty is also a good way for a simple solution.

    What about using Apache Worker instead of Prefork? Worker should not be affected by this attack and in combination with fastcgi also a powerful setup.

  • 🛡️ Vivek Gite (Author and Admin) nixCraft Jun 20, 2009 @ 13:58

    Varnish is really good project. I’ve used this one in past it worked like a charm. Each web server must configured with limited resources to get rid of problems like this. Default time out is 5 minutes and it must be set to something like 20-30. These ensure that TIME_WAIT ports either get reused or closed fast.

    sysctl  net.ipv4.tcp_fin_timeout = 1
    sysctl  net.ipv4.tcp_tw_recycle = 1
  • Cagri Ersen Jun 21, 2009 @ 14:17

    accf_httpd mitigate the risk for me.
    When i try the tool against an apache server ( with “very” default configuration) server is going down quickly. And then i loaded accf_httpd module and start it again. At this time server is still up after 50K~ packets sent.

  • ceres Jun 22, 2009 @ 1:03

    Here is what I did under FreeBSD to mitigate the risk. Updated httpd.conf:

    KeepAliveTimeout 5
    Timeout 30

    Load kernel modules (add to /boot/loader.conf):

    kldload accf_data
    kldload accf_http

    Updated pf settings ( apache server ip):

    table  <slowloris> persist
    block in quick on $ext_if from <slowloris>   to
    pass in on $ext_if proto tcp to port www flags S/SA synproxy state (max-src-conn 60, max-src-conn-rate 20/5, overload <slowloris>  flush)

    List / delete and add attacking ip manually:

    pfctl -t slowloris -T show
    pfctl -t slowloris -T delete
    pfctl -t slowloris -T add
  • 🛡️ Vivek Gite (Author and Admin) nixCraft Jun 22, 2009 @ 1:07


    I’ve edited your post with pre html tags.

  • Solaris Jun 23, 2009 @ 20:31

    Serious protection comes with a high price. And I mean layered detection modules
    like dedicated hardware IDS/firewall and fine-grained monitoring.

    Even so, when a big DDoS flood comes (Gigabytes/second) there is not much you can do
    to the hosting level, maybe change the routing tables at ISP core routers but I have seen
    a rare 30 GB/sec DDoS that brought down an entire ISP for a while.. so we are talking
    micro protections here.

  • 🛡️ Vivek Gite (Author and Admin) nixCraft Jun 23, 2009 @ 20:40


    I agree with you; your average server cannot fight if a large DDoS launched against you. You need something like Cisco guard or TopLayer mitigation appliances. Another option is to use anti-DDoS proxy service. All these options costs good amount of money.

  • Tod DoD Jun 26, 2009 @ 18:04

    For limiting incoming SYN packets under netfilter:
    iptables -A INPUT -i eth0 -p tcp --syn -m limit --limit 5/second -j ACCEPT

  • ano Jun 30, 2009 @ 22:39

    @Vivek, @Solaris

    Vivek wrote:
    >Even so, when a big DDoS flood comes (Gigabytes/second) there is not much you can do

    You missed the point. This particular attack is about taking down apache with a tiny DDos flood. Low bandwidth-, cpu and memory footprint. A 486 on the cheapest dsl link brings down apache.

    Against this kind of attacks there is much you can do… but apache doesn’t…

Leave a Reply

Your email address will not be published. Required fields are marked *

Use HTML <pre>...</pre> for code samples. Your comment will appear only after approval by the site admin.