Using HTTP POST for denial of service
Posted Dec 2, 2010 16:41 UTC (Thu) by adamgundy
Parent article: Using HTTP POST for denial of service
seems to me the traditional solution for slowloris would solve this ('put nginx in front of your vulnerable server').
it has configurable limits on HTTP body size (post size), which can be configured per-server or per-page, and buffers all of the request before sending it on to the backend server (ie: slow GETs or POSTs get absorbed in their entirety before being handed off to the backend server as fast as possible). you can also set request timeouts.
I'm guessing other C10K web servers or proxies would provide the same protection (lighttpd, Cherokee, pound, varnish, etc etc).
to post comments)