> This is called 'slow loris' attack. That'll give you something to Google for
> :)
Thank you so much for the help guys.
I did Google "slowloris" and I did indeed find much information. In
fact, the program I wrote from scratch does the exact attack described
on the slowloris Wikipedia page.
Anyhow, I hunted down a custom Apache module called mod_antiloris.
This module limits the number of SERVER_BUSY_READ state connections
from a single IP address. The default limit is 5 (I will turn mine up
to 10 or more when I get it to work).
I compiled and installed mod_antiloris. I then tried bombarding my
httpd server with the same program that took it down earlier. The
behavior was slightly better, but the site still came down for a good
few seconds (more than I'm comfortable with). I did also see messages
in my httpd error log that indicated that mod_antiloris was indeed
doing something.
However, I got suspicious when I got the message "server reached
MaxClients setting, consider raising the MaxClients setting" in my
error log during the attack that I initiated. We were still reaching
the maximum 80 clients even with mod_antiloris enabled? And my
website was still being brought down during the attack?
So, I decided to consule to source code of mod_antiloris. The full
source code is here at this temporary link:
http://porky.nerius.com/temp/mod_antiloris.c This is version 0.4 of
mod_antiloris.
If you don't mind looking closely at the source code, go to
pre_connection(), at the end of that function:
if (ip_count > conf->limit) {
ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL, "Rejected,
too many connections in READ state from %s", c->remote_ip);
return OK;
} else {
return DECLINED;
}
Apparently, we're returning what seems to be OK if ip_count is greater
thyan conf->limit (which in my case is 5). And we return DECLINED
(whatever that means) otherwise. Hrm. This seems backwards. First
of all, how does my webserver even _work_ with this logic being
backwards?
If I think about it slightly longer, one possible scenario that would
explain why the website is still working is as follows. The first 5
connections from a client come in, and are denied. Somehow they
linger somewhere and SERVER_BUSY_READ is still counted towards
ip_count for these 5 denied connections. Then the 6th connection
comes in, and is logged and accepted.
Wow, can this code be so broken? I installed this code directly from
a FreeBSD port, and FreeBSD ports are not supposed to be broken as bad
as this.
Do you think just switching the "OK" with "DECLINED" in the source
code would fix the problem?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|