[Bug 392759] Re: apache2 DoS attack using slowloris

[Stefan Fritsch]

Some comments:

- All Apache MPMs are affected. The sole exception may be if you use the
event MPM without SSL.

- The slowloris attack leaves plenty of error 400 entries in the access
log.

- Using iptables connlimit with a reasonable maximum number of
connections per IP (like 1/5 or 1/10 of what you server can handle) will
give you good protection from single attacking hosts. When the attacker
has many hosts (i.e. a botnet) you have lost anyway.

- mod_antiloris has some design issues as discussed on the httpd-dev
mailing list. Also, it does not protect against a slightly modified
attack. Therefore mod_antiloris is not the general solution.

- I hope that mod_reqtimeout may be a better approach, but the
discussion and testing is not finished yet.

For now, the recommendation is to use iptables.

-- 
apache2 DoS attack using slowloris
https://bugs.launchpad.net/bugs/392759
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to apache2 in ubuntu.