KPWINC's questions

Recently a script called "slowloris" has gained attention. The basic concept of what slowloris does is not a new attack but given the recent attention I have seen a small increase in attacks against some of our Apache websites.

At the moment there does not appear to be any 100% defence against this.

The best solution we have determined (so far) is to increase MaxClients.

This of course does nothing more than increase the requirements for the attacker's computer and does not actually protect the server 100%.

One other report indicates that using a reverse proxy (such as Perlbal) in front of the Apache server can help prevent the attack.

Using mod_evasive to limit the number of connections from one host and use mod_security to deny requests that look like they were issued by slowloris seem to be the best defence so far.

Has anyone on ServerFault been experiencing attacks such as this? If so, what measures did you implement to defend/prevent it?

NOTE: This question is for Apache servers as it is my understanding that Windows IIS servers are not affected.

In August 2007, SysAdmin magazine ceased publication after 15 years. Since then, what resources (preferably magazines) have system administrators turned to to stay on top of their game?

Here is an interesting problem/scenario that some sysadmins out there might enjoy:

An apartment building owner is giving away free internet access to his tennants. Basically he has a T1 coming to the building and every apartment has a CAT5 plug in the wall. The internet access is "free" (included in the rent or whatever) to the tennants.

The problem is, several of the tennants are downloading illegal movies/music via bittorrent. As a result, the MPAA and RIAA is sending "nastygrams" to the owner of the internet connection (ie. apartment owner) concerning the illegal downloads.

The apartment owner has blocked lists of torrent sites as well as several file extensions at the router level but the problem persists.

What I'd like to know is if anyone out there has a clever/inexpensive solution for this problem? QoS apparently only works up to a point because bittorrent can use pretty much any port it wants. Packet inspection doesn't work on encrypted connections, etc.

The apartment owner did say he would be happy if he could simply see the upload/download traffic (ie. potential abusers) of the individual apartment units.

Any ideas?

UPDATE: Not interested in discussing the legal/lawyer/social issues as much as the actual technical solutions (whatever they may be). I would kindly request you vote up the TECHNICAL discussions over the legal/social ones. Thanks!

ANSWER: Selected Justin Scott's answer as the correct answer because of his suggestion to use managed switches and MRTG. While it would have been nicer to block bittorrent or at least make it EXTREMELY difficult MRTG and a managed switch will allow us to easily identify the offender(s).