How to beat Slowloris HTTP DoS attacks

Want to learn something new? Check out my most recent Egghead course:



Build a Twelve-Factor Node.js App with Docker - WATCH NOW on Egghead.io!

Cheers -Mark

Mon, 01/18/2010 - 00:00

Submitted by markoshust Mon, 01/18/2010 - 00:00
Tags: 

I’ve recently been involved with a site that was experiencing a heavy level of Slowloris attacks. Slowloris is a DoS (Denial of Service) attack that was made with a very simple agenda – to shutdown websites with a very low-level attacking client. It seems to mainly affect Apache, the most popular web server in the world (newer web servers such as Lighttpd and nginx are unaffected). It has been recently talked about in a variety of magazines and publications such as Linux Magazine and HowToForge.com.

With various possible fixes given in those articles, I was unable to completely guard against the attack. While it seemed as though the Apache module mod_evasive was the only thing partly helping the attacks, it was not a 100% fix to the problem. Migrating off Apache was not an option at this time, so I thought about it and came to the conclusion that I can have a script automatically restart Apache when the number of current open Apache processes increases past a set threshold. So, I created the following script and placed at /etc/custom/anti_slowloris.sh:

#!/bin/bash
# author: mark shust
# created: 2009.10.12 09:16

# get number of apache processes
apachemem=`ps axo 'pid user size cmd' | grep apache | grep -v '\(root\|grep\)' | wc -l`

# restart apache if there are more than the defined number of running processes
if [ $apachemem -gt 25 ] ; then
  /etc/init.d/httpd restart
fi

What this script essentially does in count the number of current open Apache processes, and if is past a certain limit (in this case, 25), it will automatically restart apache. This script has now been running on a cron for 3 months and during that time we have no longer had any issues at all regarding these DoS attacks. Feel free to use the script and modify it as necessary. Below is the related cron setup (basically runs every 5 minutes). Since it is such a tiny script it pretty much takes up no load on the server:

0,5,10,15,20,25,30,35,40,45,50,55 * * * * /etc/custom/anti_slowloris.sh