Tag Archives: prevent

Countering a Slow Loris Apache attack

Here is a poor man’s way to mitigate a slow loris attack. The DoS attack, not the fuzzy mammal with the poisonous elbows.

If you’re reading this, hopefully you’ve searched and figured out what the slow loris attack is all about. You probably also run Apache 1.x or 2.x. I read about the antiloris module (and noloris as well, IIRC), but I wondered if I had tools already in place to help mitigate another attack.

First, you need to lower the “Timeout” value in Apache. The default is 300 seconds, which means you are holding a socket open for 5 full minutes. Since what day in the mid-1990s has that really been necessary. And if you have scripts that run that long, you have another wide open avenue of DoS attack that will be exploited soon anyway.

Second, configure CSF to use the “PORTFLOOD” feature (requires ipt_recent), and set a reasonable limit on tcp connections to your web server port(s).

When I ran slow loris against the server in question, clearly just reducing the timeout value had a major impact on slow loris’ ability to keep the server down. Response time slowed considerably, but Apache was still serving pages. Adding the CSF PORTFLOOD rule stopped slow loris dead in its tracks.