A little more information on the 200 return code:It seems that mod_reqtimeout is not closing the connection after the 20 seconds, but rather truncating the request and letting it go through. ÂSo the request is actually processed, and since the URL is referring to an actual resource, a 200 code is returned.Surely there must be a configuration mistake somewhere?Cheers,GBOn Fri, Apr 15, 2011 at 8:48 AM, Guillaume Bilodeau <guillaume.bilodeau@xxxxxxxxx> wrote:
Hi all,In order to protect ourselves from a slowloris-type attack, we have configured the mod_reqtimeout module on our Apache 2.2.17 installation (running on Solaris, MPM compiled). ÂThe mod_reqtimeout is configuredÂas follows:RequestReadTimeout header=10-20,MinRate=500 body=10-20,MinRate=500We are testing using the OWASP http_dos_cli tool and are still able to make the site unreachable in a couple of seconds. ÂIn the logs we do see that requests are being timed out and the connections closed at the correct moment, but the client is receiving a 200 status code instead of a 408. ÂThis difference keeps our mod_security rule set to gather timeout statistics and block further requests from this IP.Any idea on why mod_reqtimeout is returning 200 and not 408?The original discussion on the owasp-modsecurity-core-rule-set mailing list:Âhttps://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/2011-April/000722.htmlThanks a bunch!GB
|