mod_reqtimeout not returning 408

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: users@xxxxxxxxxxxxxxxx
Subject: mod_reqtimeout not returning 408
From: Guillaume Bilodeau <guillaume.bilodeau@xxxxxxxxx>
Date: Fri, 15 Apr 2011 08:48:27 -0400
Reply-to: users@xxxxxxxxxxxxxxxx

Hi all,

In order to protect ourselves from a slowloris-type attack, we have configured the mod_reqtimeout module on our Apache 2.2.17 installation (running on Solaris, MPM compiled). ÂThe mod_reqtimeout is configuredÂas follows:

RequestReadTimeout header=10-20,MinRate=500 body=10-20,MinRate=500

We are testing using the OWASP http_dos_cli tool and are still able to make the site unreachable in a couple of seconds. ÂIn the logs we do see that requests are being timed out and the connections closed at the correct moment, but the client is receiving a 200 status code instead of a 408. ÂThis difference keeps our mod_security rule set to gather timeout statistics and block further requests from this IP.

Any idea on why mod_reqtimeout is returning 200 and not 408?

The original discussion on the owasp-modsecurity-core-rule-set mailing list:Âhttps://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/2011-April/000722.html

Thanks a bunch!

Follow-Ups:
- Re: mod_reqtimeout not returning 408
  - From: Guillaume Bilodeau

Prev by Date: Re: configuration error: couldn't check access. Check your 'Require' directive
Next by Date: Re: mod_reqtimeout not returning 408
Previous by thread: configuration error: couldn't check access. Check your 'Require' directive
Next by thread: Re: mod_reqtimeout not returning 408
Index(es):
- Date
- Thread

[Index of Archives] [Open SSH Users] [Linux ACPI] [Linux Kernel] [Linux Laptop] [Kernel Newbies] [Security] [Netfilter] [Bugtraq] [Squid] [Yosemite News] [MIPS Linux] [ARM Linux] [Linux Security] [Linux RAID] [Samba] [Video 4 Linux] [Device Mapper]