fredk2 wrote:
Would'nt you think that a (simple) timer for the header could fend off some of the effect. Can't we assume that if it takes more than 3 second to enter the header we do not want that client (i'll have to learn to type faster in telnet :-).
For the headers, I think it might help.But I'm sure that then the attack would switch to sending the headers fast, and then a long POST body, veeeeery slowly...
On another track, it seems that the "Event MPM" model of Apache also is relatively insensitive to the slowloris thing.
Thanks - Fred awarnier wrote:fredk2 wrote:What you are describing above is exactly the way a "slowloris" Denial-Of-Service attack works. On the majority of webservers, each such client locks up one child or thread of the webserver, for as long as it takes to complete the request. It is quite difficult to fight this, because how do you then distinguish a legitimate client that happens to have a slow internet connection ?Hi, http://httpd.apache.org/docs/2.2/mod/core.html#timeout says: The TimeOut directive currently defines the amount of time Apache will wait for three things 1. The total amount of time it takes to receive a GET request ... 1. seems to be misleading, tests with "Timeout 3" does not appear very effective. For example: GET / HTTP/1.1 Host: foo <sleep 2s> X-a: b <sleep 2s> ... Such requests are not rejected after 3 seconds as expected. Are we missing in Apache a timer for the header to complete ~ HeaderTimeout 1?The item #1 above, is relative to the time between - the initial establishment of the TCP connection to Apache - and the arrival of the first byte of the HTTP request itself (the G of GET) That is to avoid another type of DOS attack.But how would Apache know in advance how many headers there are, or what is "reasonable" as a time before a whole POST request is in ?--------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
--------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx