Slowloris allows a single machine to take down another machine’s web server with minimal bandwidth and side effects on unrelated services and ports. The tools used to launch Slowloris attack can be downloaded at http://ha.ckers.org/slowloris/
Slowloris tries to keep many connections to the target web server open and hold them open as long as possible. It accomplishes this by opening connections to the target web server and sending a partial request. Periodically, it will send subsequent HTTP headers, adding to—but never completing—the request. Affected servers will keep these connections open, filling their maximum concurrent connection pool, eventually denying additional connection attempts from clients.
Following web server has been tested and NOT affected by this kind of attack:
- IIS6.0
- IIS7.0
- lighttpd
- Squid
- nginx
- Cherokee
- Netscaler
- Cisco CSS
Since Apache is vulnerable to this attack, we should do some prevention. We need to install one Apache module called mod_antiloris. The module limits the number of threads in READ state on a per IP basis and protecting Apache against the Slowloris attack. Installation instruction as below:
1. Download the installer and install from Sourceforge.net:
$ cd /usr/local/src $ wget http://sourceforge.net/projects/mod-antiloris/files/mod_antiloris-0.4.tar.bz2/download $ tar -xvjf mod_antiloris-0.4.tar.bz2 $ cd mod_antiloris-* $ apxs -a -i -c mod_antiloris.c |
2. Restart Apache:
$ service httpd restart |
3. Check whether mod_antiloris is loaded:
$ httpd -M | grep antiloris antiloris_module (shared) |
or you can check using httpd fullstatus command:
$ service httpd fullstatus | grep antiloris mod_antiloris/0.4 |
For cPanel servers, don’t forget to run following command to make sure the new modifications be checked into the configuration system by running:
$ /usr/local/cpanel/bin/apache_conf_distiller --update |
We have protect our web server from Slowloris attack. Try by launch the Slowloris attack to your web server and check the Apache status page to see whether it affected or not. Cheers!
UPDATE! Slowloris can be used to attack any port. Refer to comment section for more details. (Thanks to Luka Paunović for the highlight!)
Related Posts
7 Responses to Protect Apache Against Slowloris Attack
Leave a Reply
Subscribe via Email
Sci/Tech – Google News- iOS 7 likely to be flat ... and black and white? - NBCNews.com 24 May 2013
- A Best-Selling Phone? It's Not Just a Good Phone - New York Times (blog) 24 May 2013
- Microsoft refutes reports about Xbox One used game sales - CNET 24 May 2013
- Why Google's Display Ad Business Drew FTC Antitrust Probe - Forbes 24 May 2013
- Russia's leading social network banned by 'mistake' - Toronto Sun 24 May 2013
Ah, finally thank you!
I had problems with slowloris.
It’s protecting but I can notice a little bigger load when i receive attack.
Thanks again!
No problem Luka!
I wanted to ask one more thing, can this thing be implemented on other ports?
Can it protect an all ports?
Why would you need to protect other ports from an attack which can only be done on webserver port?
It’s only for Apache, so, port 80
Dude, Slowloris can attack on any port, just change port in perl file…
I tested it on MySQL server, SMTP, FTP, SSH they were DOWN.
This is real Slowloris
http://ha.ckers.org/slowloris/slowloris.pl
Is this compactibile with ngnix?
You can refer to this URL for web servers that affected by slowloris: http://ha.ckers.org/slowloris/