I'm pretty sure I was under Slowloris attack. I set up an iptables rule to limit max connections to my webserver, but I'd like to know how I can figure out if it really was a Slowloris attack, and if so, how I can find the IP address of the attacker. I'd really like to pass the logs on to his ISP.
Thanks
Level 1 : simple slowloris DOS
To find the ip address of the slowloris attacker I use the following command line :
This will give you the number of active connections for each connected IP
If you are under a simple DOS attack, a kiddie with one or a few IPs , the one with 50-100 connections ( or more ) is most probably a slowloris attacker you can drop.
This is to detect and drop( with iptables or your preferred hlfw ) them "real time" if you are connected on the server during the attack.
Adding the processing time ( %D or %T argument ) in your apache logs can also probably help to detect slowloris attacks "postmortem" by analysing the logs, if you dont have this info in your logs, you wont be able to find anything interesting. See http://httpd.apache.org/docs/current/mod/mod_log_config.html for the log config.
Level 2 : real big slowloris DDOS
netstat ( use watch netstat for refresh ) can still help you see that some IPs are just always connected
To fight slowloris, on apache, install the reqtimeout modules and set it up, example :
http://pastebin.com/3BNNwfyb
After that, every 408 you see in access_log is 99.999% sure a slowloris attacker ip.
Using the reqtimeout apache module, you can easily stand up against thousands of ips and thousands packets/second on a decent dedicated server
Iptables can also help a little with something like :
Slowloris attacks work by sending request data as slow as possible. Therefore, if you could measure the bandwidth use per ip address then if it's below some threshold, (found by measuring the bandwidth in a known slowloris attack) then you know you are under attack.
To prevent attacks, I'd suggest switching your webserver software. I use cherokee which is resistant in it's default configuration. I can't ascertain whether nginx is vulnerable, but lighttpd is. I also can't be sure that using a resistant webserver as a proxy will make any difference.
Here's more information: http://ha.ckers.org/blog/20090617/slowloris-http-dos/