Slow Loris Attack
This type of attack on an apache server causes the servers resources to be consumed by very slow responding connections which inturn causes a ddos, where no more connections are able to be established.
When a client connects to the apache server, apache waits for the whole request to be received before the process starts processing.
With apaches timeout set at a default 300 seconds, an attacker can send headers really really slowly to cause the process to be tied up waiting for the full request.
To assist in preventing this attack you can configure a module called mod_reqtimeout which is installed by default with apache. It will need to be enabled however:
Create a file called reqtimeout.conf (/etc/httpd/conf.d/reqtimeout_module.conf) in the apache vhost directory with the following content:
LoadModule reqtimeout_module modules/mod_reqtimeout.so # Slowloris mitigation <IfModule mod_reqtimeout.c> RequestReadTimeout header=20-40,MinRate=500 body=20,MinRate=500 </IfModule>
| Directive | Description |
|---|---|
| header | This specifies how long to wait for a header (in seconds) |
| MinRate | Must meet time specified in “header” AND send x bytes per second |
| Body | How long the server will wait for headers to complete |
| Minrate | Must meet time specified in “body” AND send x amounts of bytes per second |