4

I detected few days ago that my server was under slowloris attack (I found a lot of "-" 408 0 "-" "-" values in my access.log).

I changed my configuration like this:

In mod_reqtimeout:

RequestReadTimeout header=5-20,minrate=20

I installed mod_qos and configured it like that:

QS_SrvMaxConnPerIP 50
QS_SrvMinDataRate 120 1500

Is it enough? Most of the available tutorial just leave the default values in the configuration files.

I noticed that now the "-" 408 0 "-" values are increased a lot. I suppose that's good because it means that more connection are detected as malicious and it means that they are closed befaure they can "damage" the server. Right?

Can I do something more? Blocking the ips?...

Thanks in advance for any feedbacks!

lucas47
  • 41
  • 3
  • Are you certain that you are actually being attacked, or could it be that people are connecting to you, sending incomplete requests and the "Timeout" in your config is being reached? – Aaron Mar 05 '15 at 23:12

1 Answers1

0

Reading this bug report, I found out that it says you should not use the QS_SrvMinDataRate option because:

The connection cleanup takes too long.

They recommend that you only use the RequestReadTimeout option (At least on Apache 2.4+, but since the RequestReadTimeout option was available before, there was probably no need for the QoS options on that one).

It is not unlikely that the cleanup taking too long was causing those 408 errors. But that's just speculation on my part.

Note that Slowloris is difficult to get rid off unless you can block the IP address in your firewall. Something Apache2/QoS does not offer, unfortunately. It's very easy for the attacker to create a new connection when it receives the 408 and thus eat another one of your open Apache2 slot.

Alexis Wilke
  • 2,210
  • 1
  • 20
  • 37