Apache + Slowloris = FAIL
- Idea: open many connections to an HTTP server and slowly send requests that
will never complete
- This uses up resources on the webserver while having a very low traffic
- Apache: multi-processing modules (MPM) prefork and
worker have a limitation on the number of open connections;
each connection is bound to a process/thread.
- As soon as your slow, incomplete-request-sending connections hit this
limit, Apache will stop responding to other requests even though the open
connections generate virtually no load.
How To Do It Right
- Use async I/O: webservers using this technique are not vulnerable to the
Slowloris attack, e.g. lighttpd, nginx, gatling, Apache's experimental event
MPM, IIS 6/7, ...
- My advice: if in any way possible, move away from Apache. If not, patch
your Apache to mitigate the attack.
- I developed and tested a proof of concept mitigation patch based on prior
experience with similar attacks and published it on the Apache developer
mailing list in June 2009.
- ...it was mostly ignored and/or dismissed ("mitigation is futile. We need to finish the event MPM").
- Idea: reward clients that send reasonably fast, punish slow clients.
- Do this by reducing the connection timeout for each new connection based
on the current load (i.e. percentage of processes currently in use)
- Clients that send reasonably fast will have no problem with it.
- New connections opened by slow senders will be dropped quickly.
- Proof of concept patch for prefork MPM and Apache 2.2 linked below.
How To Do It Wrong
- A number of other mitigations were published, all of them are full of epic
- mod_noloris: detects Slowloris attacks by counting the
number of open connections per client (i.e. IP address). Trusted clients can be
- Problems with this approach:
- Doesn't work against Slowloris attacks launched from botnets
- Users behind NAT gateways are disadvantaged (false positives)
- Who maintains the trusted client list?
- mod_antiloris: same approach as mod_noloris.
- mod_limitipconn: same approach as mod_noloris.
- unnamed "crazy patch": if no free processes are available,
all processes/threads in read or keep-alive state are killed. WTF?!
- This is all full of EPIC FAIL and has obviously only been tested with the
Slowloris PoC script.
- the Apache developers are aware of the bug, they know
that their architecture is broken, and yet they do nothing about
- Move away from Apache, or - if that's impossible - defend yourself.