Protect Apache Against Slowloris Attack

Slowloris allows a single machine to take down another machine’s web server with minimal bandwidth and side effects on unrelated services and ports. The tools used to launch Slowloris attack can be downloaded at http://ha.ckers.org/slowloris/

Slowloris tries to keep many connections to the target web server open and hold them open as long as possible. It accomplishes this by opening connections to the target web server and sending a partial request. Periodically, it will send subsequent HTTP headers, adding to—but never completing—the request. Affected servers will keep these connections open, filling their maximum concurrent connection pool, eventually denying additional connection attempts from clients.

Following web server has been tested and NOT affected by this kind of attack:

  • IIS6.0
  • IIS7.0
  • lighttpd
  • Squid
  • nginx
  • Cherokee
  • Netscaler
  • Cisco CSS

Since Apache is vulnerable to this attack, we should do some prevention. We need to install one Apache module called mod_antiloris. The module limits the number of threads in READ state on a per IP basis and protecting Apache against the Slowloris attack. Installation instruction as below:
1. Download the installer and install from Sourceforge.net:

$ cd /usr/local/src
$ wget http://sourceforge.net/projects/mod-antiloris/files/mod_antiloris-0.4.tar.bz2/download
$ tar -xvjf mod_antiloris-0.4.tar.bz2
$ cd mod_antiloris-*
$ apxs -a -i -c mod_antiloris.c

2. Restart Apache:

$ service httpd restart

3. Check whether mod_antiloris is loaded:

$ httpd -M | grep antiloris
   antiloris_module (shared)

or you can check using httpd fullstatus command:

$ service httpd fullstatus | grep antiloris
   mod_antiloris/0.4

For cPanel servers, don’t forget to run following command to make sure the new modifications be checked into the configuration system by running:

$ /usr/local/cpanel/bin/apache_conf_distiller --update

We have protect our web server from Slowloris attack. Try by launch the Slowloris attack to your web server and check the Apache status page to see whether it affected or not. Cheers!

 

UPDATE! Slowloris can be used to attack any port. Refer to comment section for more details. (Thanks to Luka Paunović for the highlight!)

10 thoughts on “Protect Apache Against Slowloris Attack

  1. Ah, finally thank you!
    I had problems with slowloris.
    It’s protecting but I can notice a little bigger load when i receive attack.
    Thanks again!

    Reply

      1. I wanted to ask one more thing, can this thing be implemented on other ports?
        Can it protect an all ports?

        Reply

        1. Why would you need to protect other ports from an attack which can only be done on webserver port?

          It’s only for Apache, so, port 80 😉

          Reply

  2. // Try by launch the Slowloris attack to your web server and check the Apache status page to see whether it affected or not

    I tested it by telnetting to the port 80. When Slowloris attack is running, if you telnet to the port 80 from the same IP of the attack’s source, server closes the connection to telnet within seconds (Connection was reset error on Firefox). But if I telnet from a different IP, server won’t abruptly close the connection.

    Reply

  3. CANT GET IT WORKING . ANY HELP
    MY VPS IS CENTOS 7

    [[email protected] mod_antiloris-0.4]# apxs -a -i -c mod_antiloris.c
    /usr/lib64/apr-1/build/libtool –silent –mode=compile gcc -std=gnu99 -prefer-pi c -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-stro ng –param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -DLINUX -D_REENTRANT -D_GNU_SOURCE -pthread -I/usr/include/httpd -I/usr/include/apr-1 -I/usr/include/apr-1 -c -o mod_antiloris.lo mod_antiloris.c && touch mod_anti loris.slo
    mod_antiloris.c: In function ‘pre_connection’:
    mod_antiloris.c:126:37: error: ‘conn_rec’ has no member named ‘remote_ip’
    apr_cpystrn(ws_record->client, c->remote_ip, sizeof(ws_record->client));
    ^
    mod_antiloris.c:133:10: warning: passing argument 1 of ‘ap_get_scoreboard_worke ‘ makes pointer from integer without a cast [enabled by default]
    ws_record = ap_get_scoreboard_worker(i, j);
    ^
    In file included from /usr/include/httpd/ap_mpm.h:31:0,
    from mod_antiloris.c:24:
    /usr/include/httpd/scoreboard.h:185:28: note: expected ‘struct ap_sb_handle_t *’ but argument is of type ‘int’
    AP_DECLARE(worker_score *) ap_get_scoreboard_worker(ap_sb_handle_t *sbh);
    ^
    mod_antiloris.c:133:10: error: too many arguments to function ‘ap_get_scoreboard _worker’
    ws_record = ap_get_scoreboard_worker(i, j);
    ^
    In file included from /usr/include/httpd/ap_mpm.h:31:0,
    from mod_antiloris.c:24:
    /usr/include/httpd/scoreboard.h:185:28: note: declared here
    AP_DECLARE(worker_score *) ap_get_scoreboard_worker(ap_sb_handle_t *sbh);
    ^
    In file included from mod_antiloris.c:23:0:
    mod_antiloris.c:146:108: error: ‘conn_rec’ has no member named ‘remote_ip’
    ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL, “Rejected, too many connectio ns in READ state from %s”, c->remote_ip);
    ^
    /usr/include/httpd/http_log.h:367:65: note: in definition of macro ‘ap_log_error __’
    ap_log_error_(file, line, mi, level, status, sr__, __VA_ARGS__); \
    ^
    mod_antiloris.c:146:2: note: in expansion of macro ‘ap_log_error’
    ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL, “Rejected, too many connectio ns in READ state from %s”, c->remote_ip);
    ^
    apxs:Error: Command failed with rc=65536
    .
    [[email protected] mod_antiloris-0.4]# service httpd restart
    Redirecting to /bin/systemctl restart httpd.service
    [[email protected] mod_antiloris-0.4]# httpd -M | grep antiloris
    [[email protected] mod_antiloris-0.4]# service httpd fullstatus | grep antiloris
    The service command supports only basic LSB actions (start, stop, restart, try-r estart, reload, force-reload, status). For other actions, please try to use syst

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *