User: Password:
Subscribe / Log in / New account

Apache attacked by a "slow loris"

Apache attacked by a "slow loris"

Posted Jun 29, 2009 9:36 UTC (Mon) by dlang (subscriber, #313)
In reply to: Apache attacked by a "slow loris" by njs
Parent article: Apache attacked by a "slow loris"

no I am not arguing that they need to only defend us against dialup users. I am saying that their mistakes have made us vulnerable to _even_ dialup users

I argue that using the same variable for

1. how long after a connection do I wait for a request

2. how long can the flow of data pause

3. what is the max length of time that a CGI can run, even if it is passing data continuously

is just bad design period, even if the attackers aren't taking advantage of it, these are three very different cases, and the appropriate values are very different between them. this affects the activity of a site even when it's not under attack.

if someone is out to get you and is willing to burn/use a large botnet to do it, they are going to get you. I don't care who you are, thousands of bots collectivly have more bandwidth than you do, so they can take you down by just doing legitimate things on your site.

the current situation is that trivial attacks can take apache down, at almost no cost to the attackers in terms of load. this means that they can do it on a botnet without doing anything that would make the owners of the machine notice that something is wrong.

fixing the timeouts so that each of the three cases above are handled seperatly would force the attacker to use significantly more bandwidth for their attack, this would either raise the possibility that the owners of the machines would notice something was wrong (because the letgitmate use is slow due to the load), or it would force the attackers to use much larger botnets. either of these would make it more expensive for the attacker

(Log in to post comments)

Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds