Protect Apache Against Slowloris Attack

Slowloris allows a single machine to take down another machine’s web server with minimal bandwidth and side effects on unrelated services and ports. The tools used to launch Slowloris attack can be downloaded at http://ha.ckers.org/slowloris/

Slowloris tries to keep many connections to the target web server open and hold them open as long as possible. It accomplishes this by opening connections to the target web server and sending a partial request. Periodically, it will send subsequent HTTP headers, adding to—but never completing—the request. Affected servers will keep these connections open, filling their maximum concurrent connection pool, eventually denying additional connection attempts from clients.

Following web server has been tested and NOT affected by this kind of attack:

  • IIS6.0
  • IIS7.0
  • lighttpd
  • Squid
  • nginx
  • Cherokee
  • Netscaler
  • Cisco CSS

Since Apache is vulnerable to this attack, we should do some prevention. We need to install one Apache module called mod_antiloris. The module limits the number of threads in READ state on a per IP basis and protecting Apache against the Slowloris attack. Installation instruction as below:
1. Download the installer and install from Sourceforge.net:

$ cd /usr/local/src
$ wget http://sourceforge.net/projects/mod-antiloris/files/mod_antiloris-0.4.tar.bz2/download
$ tar -xvjf mod_antiloris-0.4.tar.bz2
$ cd mod_antiloris-*
$ apxs -a -i -c mod_antiloris.c

2. Restart Apache:

$ service httpd restart

3. Check whether mod_antiloris is loaded:

$ httpd -M | grep antiloris
   antiloris_module (shared)

or you can check using httpd fullstatus command:

$ service httpd fullstatus | grep antiloris
   mod_antiloris/0.4

For cPanel servers, don’t forget to run following command to make sure the new modifications be checked into the configuration system by running:

$ /usr/local/cpanel/bin/apache_conf_distiller --update

We have protect our web server from Slowloris attack. Try by launch the Slowloris attack to your web server and check the Apache status page to see whether it affected or not. Cheers!

 

UPDATE! Slowloris can be used to attack any port. Refer to comment section for more details. (Thanks to Luka Paunović for the highlight!)