Page tree
Skip to end of metadata
Go to start of metadata

Overview

The Slowloris attack attempts to open a large number of connections with a web server and holds those connections open for as long as possible. A web server can only provide service to a finite number of clients. After the Slowloris attack consumes all of the available connections on a server, other clients cannot reach its sites.

To accomplish this, the Slowloris program opens a connection to the web server and sends a partial request. Then it sends additional HTTP headers to add to those requests, but not complete them. This process eventually fills the maximum number of concurrent connections, which will deny additional connections from other clients.

This document provides several methods to mitigate the impact of Slowloris attacks.

For more information about Slowloris attacks, read Slowloris at Wikipedia.

The mod_reqtimeout module (recommended)

Note:

The mod_reqtimeout module is available for Apache version 2.2.

Place any configurations that you wish to use the mod_reqtimeout module in the /usr/local/apache/conf/includes/pre_main_global.conf file.

The following example configuration demonstrates how you can use the mod_reqtimeout module:

<IfModule mod_reqtimeout.c>
   RequestReadTimeout header=20-40,MinRate=500 body=20-40,MinRate=500
</IfModule>

This configuration will wait up to 20 seconds for header data. As long as the client sends header data at a rate of 500 bytes per second, the server will wait for up to 40 seconds for the headers to complete.

This configuration will also wait up to 20 seconds for body data. As long as the client sends header data at a rate of 500 bytes per second, the server will wait for up to 40 seconds for the body of the request to complete.

For more information, read Apache's ModReqtimeout Documentation.

Additional documentation