How to beat Slowloris HTTP DoS attacks
source link: https://markshust.com/2010/01/18/how-to-beat-slowloris-http-dos-attacks/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
How to beat Slowloris HTTP DoS attacks
January 18, 2010 · 2 min read · Edit on GitHub
I’ve recently been involved with a site that was experiencing a heavy level of Slowloris attacks. Slowloris is a DoS (Denial of Service) attack that was made with a very simple agenda – to shutdown websites with a very low-level attacking client. It seems to mainly affect Apache, the most popular web server in the world (newer web servers such as Lighttpd and nginx are unaffected). It has been recently talked about in a variety of magazines and publications such as Linux Magazine and HowToForge.com.
With various possible fixes given in those articles, I was unable to completely guard against the attack. While it seemed as though the Apache module mod_evasive was the only thing partly helping the attacks, it was not a 100% fix to the problem. Migrating off Apache was not an option at this time, so I thought about it and came to the conclusion that I can have a script automatically restart Apache when the number of current open Apache processes increases past a set threshold. So, I created the following script and placed at /etc/custom/anti_slowloris.sh:
#!/bin/bash
# author: mark shust
# created: 2009.10.12 09:16
# get number of apache processes
apachemem=`ps axo 'pid user size cmd' | grep apache | grep -v '\(root\|grep\)' | wc -l`
# restart apache if there are more than the defined number of running processes
if [ $apachemem -gt 25 ] ; then
/etc/init.d/httpd restart
fiWhat this script essentially does in count the number of current open Apache processes, and if is past a certain limit (in this case, 25), it will automatically restart apache. This script has now been running on a cron for 3 months and during that time we have no longer had any issues at all regarding these DoS attacks. Feel free to use the script and modify it as necessary. Below is the related cron setup (basically runs every 5 minutes). Since it is such a tiny script it pretty much takes up no load on the server:
0,5,10,15,20,25,30,35,40,45,50,55 * * * * /etc/custom/anti_slowloris.shRecommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK