Slowloris DoS Tool: It Can Bring Down Apache 1.x/2.x

Web server that use threaded processes such as Apache and others can be targeted using interesting HTTP DoS tool that has been released in wild. Tool can eat up all resources while it holds the connection open to server and keep sending incomplete HTTP requests. End result Apache run out of memory and comes under DoS attack.

According to this blog post

This affects a number of webservers that use threaded processes and ironically attempt to limit that to prevent memory exhaustion – fixing one problem created another. This includes but is not necessarily limited to the following:

* Apache 1.x
* Apache 2.x
* dhttpd
* GoAhead WebServer
* Squid

There are a number of webservers that this doesn’t affect as well, in my testing:

* IIS6.0
* IIS7.0
* lighttpd

Mitigating Apache DoS Attacks

I’ve not tested any of these solutions but PF syn proxy and FreeBSD’s accf_http (which buffer incoming connections until a certain complete HTTP requests arrive) kernel module can be used to migrate the same. I’m sure both PF and Iptables can be used to stop mitigating this attack by limiting connections per IP. Also, Apache can be configured to timeout quickly. Another option is to put lighttpd in front of Apache and proxy out requests to real httpd server. I will update this post later on with my findings.

A little more available below:
=> Apache HTTP DoS tool released

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 9 comments so far... add one

CategoryList of Unix and Linux commands
Disk space analyzersdf duf ncdu pydf
File Managementcat cp mkdir tree
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Modern utilitiesbat exa
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg glances gtop jobs killall kill pidof pstree pwdx time vtop
Searchingag grep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04

9 comments… add one
  • Julius Beckmann Jun 20, 2009 @ 9:50

    Instead of using Lighttpd as proxy there is another way to do this. Varnish is a http accelerator that can be used to prevent this type of attack and can improve performance.
    But lighty is also a good way for a simple solution.

    What about using Apache Worker instead of Prefork? Worker should not be affected by this attack and in combination with fastcgi also a powerful setup.

  • 🐧 nixCraft Jun 20, 2009 @ 13:58

    Varnish is really good project. I’ve used this one in past it worked like a charm. Each web server must configured with limited resources to get rid of problems like this. Default time out is 5 minutes and it must be set to something like 20-30. These ensure that TIME_WAIT ports either get reused or closed fast.

    sysctl  net.ipv4.tcp_fin_timeout = 1
    sysctl  net.ipv4.tcp_tw_recycle = 1
  • Cagri Ersen Jun 21, 2009 @ 14:17

    accf_httpd mitigate the risk for me.
    When i try the tool against an apache server ( with “very” default configuration) server is going down quickly. And then i loaded accf_httpd module and start it again. At this time server is still up after 50K~ packets sent.

  • ceres Jun 22, 2009 @ 1:03

    Here is what I did under FreeBSD to mitigate the risk. Updated httpd.conf:

    KeepAliveTimeout 5
    Timeout 30

    Load kernel modules (add to /boot/loader.conf):

    kldload accf_data
    kldload accf_http

    Updated pf settings ( apache server ip):

    table  <slowloris> persist
    block in quick on $ext_if from <slowloris>   to
    pass in on $ext_if proto tcp to port www flags S/SA synproxy state (max-src-conn 60, max-src-conn-rate 20/5, overload <slowloris>  flush)

    List / delete and add attacking ip manually:

    pfctl -t slowloris -T show
    pfctl -t slowloris -T delete
    pfctl -t slowloris -T add
  • 🐧 nixCraft Jun 22, 2009 @ 1:07


    I’ve edited your post with pre html tags.

  • Solaris Jun 23, 2009 @ 20:31

    Serious protection comes with a high price. And I mean layered detection modules
    like dedicated hardware IDS/firewall and fine-grained monitoring.

    Even so, when a big DDoS flood comes (Gigabytes/second) there is not much you can do
    to the hosting level, maybe change the routing tables at ISP core routers but I have seen
    a rare 30 GB/sec DDoS that brought down an entire ISP for a while.. so we are talking
    micro protections here.

  • 🐧 nixCraft Jun 23, 2009 @ 20:40


    I agree with you; your average server cannot fight if a large DDoS launched against you. You need something like Cisco guard or TopLayer mitigation appliances. Another option is to use anti-DDoS proxy service. All these options costs good amount of money.

  • Tod DoD Jun 26, 2009 @ 18:04

    For limiting incoming SYN packets under netfilter:
    iptables -A INPUT -i eth0 -p tcp --syn -m limit --limit 5/second -j ACCEPT

  • ano Jun 30, 2009 @ 22:39

    @Vivek, @Solaris

    Vivek wrote:
    >Even so, when a big DDoS flood comes (Gigabytes/second) there is not much you can do

    You missed the point. This particular attack is about taking down apache with a tiny DDos flood. Low bandwidth-, cpu and memory footprint. A 486 on the cheapest dsl link brings down apache.

    Against this kind of attacks there is much you can do… but apache doesn’t…

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum