I didn't know this site existed before I posted this on StackOverflow, so please let me know if I'm breaking some forum etiquette or something.
In order to protect ourselves from a slowloris-type attack, we have configured the mod_reqtimeout module on our Apache 2.2.17 installation (running on Solaris, MPM compiled). The mod_reqtimeout is configured as follows:
RequestReadTimeout header=10-20,MinRate=500 body=10-20,MinRate=500
We are testing using the OWASP http_dos_cli tool and are still able to make the site unreachable in a couple of seconds. In the logs we see that the request is truncated after 20 seconds and is then processed. Since the URL is referring to an actual resource, a 200 status code is returned. This prevents our mod_security rule set to detect 408 status codes, gather IP-based statistics and block further requests from this IP.
Any idea on why mod_reqtimeout is truncating the request instead of dropping it and returning a 408?
I have opened a bug report and received confirmation that issues in HTTPD Core are causing the following problems:
More details here: https://issues.apache.org/bugzilla/show_bug.cgi?id=51103
Hope that helps someone eventually.