Re: mod_reqtimeout not returning 408

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

A little more information on the 200 return code:

It seems that mod_reqtimeout is not closing the connection after the 20 seconds, but rather truncating the request and letting it go through. ÂSo the request is actually processed, and since the URL is referring to an actual resource, a 200 code is returned.

Surely there must be a configuration mistake somewhere?

Cheers,
GB

On Fri, Apr 15, 2011 at 8:48 AM, Guillaume Bilodeau <guillaume.bilodeau@xxxxxxxxx> wrote:
Hi all,

In order to protect ourselves from a slowloris-type attack, we have configured the mod_reqtimeout module on our Apache 2.2.17 installation (running on Solaris, MPM compiled). ÂThe mod_reqtimeout is configuredÂas follows:

RequestReadTimeout header=10-20,MinRate=500 body=10-20,MinRate=500

We are testing using the OWASP http_dos_cli tool and are still able to make the site unreachable in a couple of seconds. ÂIn the logs we do see that requests are being timed out and the connections closed at the correct moment, but the client is receiving a 200 status code instead of a 408. ÂThis difference keeps our mod_security rule set to gather timeout statistics and block further requests from this IP.

Any idea on why mod_reqtimeout is returning 200 and not 408?

The original discussion on the owasp-modsecurity-core-rule-set mailing list:Âhttps://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/2011-April/000722.html

Thanks a bunch!
GB


[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux