Recently a script called "slowloris" has gained attention. The basic concept of what slowloris does is not a new attack but given the recent attention I have seen a small increase in attacks against some of our Apache websites.
At the moment there does not appear to be any 100% defence against this.
The best solution we have determined (so far) is to increase MaxClients.
This of course does nothing more than increase the requirements for the attacker's computer and does not actually protect the server 100%.
One other report indicates that using a reverse proxy (such as Perlbal) in front of the Apache server can help prevent the attack.
Using mod_evasive to limit the number of connections from one host and use mod_security to deny requests that look like they were issued by slowloris seem to be the best defence so far.
Has anyone on ServerFault been experiencing attacks such as this? If so, what measures did you implement to defend/prevent it?
NOTE: This question is for Apache servers as it is my understanding that Windows IIS servers are not affected.
I experienced such attack ... in the middle of midsummer (23th of June), where you are supposed to be in the countryside and drink beer :>
I put my Apache behind Varnish, which not only protected from slowloris, but also accelerated web requests quite a bit.
Also,
iptables
helped me:This rule limits one host to 20 connections to port 80, which should not affect non-malicious user, but would render slowloris unusable from one host.
mod_antiloris, simple as that.
If all your apache modules are thread safe, slowloris can be defeated simply by switching to event or worker MPMs. ref: here
Right now it seems that there's nothing more to do that limiting the max concurrent connexions per ip on the server.
There's a user patch you can try. It modifies the timeout based on the load the server is under, but considering its status, you might not want to use it on a production machine, without some serious testing. Take a look here.
iptable based firewall should protect you from multiple connections from 1 ip.
If this helps anyone else, you can sometimes overcome this issue with Apache 2.2.15 or greater with the following configuration:
More info here: https://httpd.apache.org/docs/2.2/mod/mod_reqtimeout.html