LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Apache attacked by a "slow loris"

Apache attacked by a "slow loris"

Posted Jun 25, 2009 3:53 UTC (Thu) by marineam (subscriber, #28387)
Parent article: Apache attacked by a "slow loris"

In my time maintaining a software download mirror I essentially had to deal with this on a regular basis thanks to the oodles of freeware "Download Accelerators" out there which make the assumption that downloading one file in hundreds of pieces from a site surely must be faster than downloading it in one piece. Just get hit by a few people with slow modems using these one of these things to download all the Debian isos and poof, no one is happy.

There is an Apache module called mod_limitipconn floating around that I used to limit each individual ip address to about 20 concurrent connections which seemed to to be a reasonable compromise number between killing the damn broken download accelerators and allowing legitimate proxies for my traffic.

(Log in to post comments)

Time them out

Posted Jun 25, 2009 6:56 UTC (Thu) by man_ls (subscriber, #15091) [Link]

I'm probably stating the obvious, but why not cut each client after a total time of, say, 20 seconds? Genuine clients should not take more than that in making a request. Such a global timeout would only damage extremely slow network links, which might (arguably) be better off cutting the connection short. Quite often I've seen my trusty Firefox waiting minutes for a site which, unsurprisingly, does not come out after all.

Combined with something like what you say (20 connections per IP) it would severely limit the damage of this attack. Each individual slow loris would only be able to tie up 20 threads for 20 seconds. So you would need a fairly extensive network to take a site up.

Time them out

Posted Jun 25, 2009 10:16 UTC (Thu) by MathFox (guest, #6104) [Link]

If you are running a blog or CMS, some of your users need to upload (POST) stories/texts, images and other media. Depending on the website, that can be quite some data, a few megabytes. Timing out too early will make your editors unhappy (and still allows for enough of a window for slow loris.) I have good experiences with server side proxies (freeing Apache resources for all users on slow links), our problem was getting a 4 MB of HTML to users on slower links. Apache kept all its resources till the last byte was sent.

Time them out

Posted Jun 27, 2009 13:10 UTC (Sat) by jengelh (subscriber, #33263) [Link]

So, use <LimitExcept POST> to allow such slowposting for CMS expecting dialup users.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds