Update on protection against slowloris

> Hi list!
>
> We tested mod_antiloris 0.4 and found it quite efficient, but before
> putting it in production, we would like to hear some feedback from
> freebsd users. We are using Apache 2.2.x on Freebsd 6.2 and 7.2. Is
> anyone using it? Do you have any other way to patch against Slowloris
> other than putting a proxy in front or using the HTTP accept filter?
>
> Thanks for your feedback,
>
> Martin
> _______________________________________________
> freebsd-security@... mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to
> "freebsd-security-unsubscribe@..."

> Martin Turgeon wrote:
> > Hi list!
> >
> > We tested mod_antiloris 0.4 and found it quite efficient, but before
> > putting it in production, we would like to hear some feedback from
> > freebsd users. We are using Apache 2.2.x on Freebsd 6.2 and 7.2. Is
> > anyone using it? Do you have any other way to patch against Slowloris
> > other than putting a proxy in front or using the HTTP accept filter?
> >
> > Thanks for your feedback,
> >
> > Martin
> > _______________________________________________
> > freebsd-security@... mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-security
> > To unsubscribe, send any mail to
> > "freebsd-security-unsubscribe@..."
> Hello,
>
> I am using it succesfully although not under any serious load, same
> Apache and FreeBSD versions. I found it easy (compared to the
> alternatives) and efficient, and no I don't know of any other ways of
> blocking the attack, short of using Varnish or similar. However,
> accf_http doesn't help at all, since HTTP POST requests bypass the
> filter. HTTP POST can be enabled by passing the -httpready switch to
> Slowloris.
>
> Please report back with your findings, I've been wondering how it
> would perform under load.
>
> Best of luck with it,
>
> Thomas Rasmussen

> On Thu, 2009-10-01 at 02:40 +0200, Thomas Rasmussen wrote:
>> Martin Turgeon wrote:
>>> Hi list!
>>>
>>> We tested mod_antiloris 0.4 and found it quite efficient, but before
>>> putting it in production, we would like to hear some feedback from
>>> freebsd users. We are using Apache 2.2.x on Freebsd 6.2 and 7.2. Is
>>> anyone using it? Do you have any other way to patch against  
>>> Slowloris
>>> other than putting a proxy in front or using the HTTP accept filter?
>>>
>>> Thanks for your feedback,
>>>
>>> Martin
>>> _______________________________________________
>>> freebsd-security@... mailing list
>>> http://lists.freebsd.org/mailman/listinfo/freebsd-security
>>> To unsubscribe, send any mail to
>>> "freebsd-security-unsubscribe@..."
>> Hello,
>>
>> I am using it succesfully although not under any serious load, same
>> Apache and FreeBSD versions. I found it easy (compared to the
>> alternatives) and efficient, and no I don't know of any other ways of
>> blocking the attack, short of using Varnish or similar. However,
>> accf_http doesn't help at all, since HTTP POST requests bypass the
>> filter. HTTP POST can be enabled by passing the -httpready switch to
>> Slowloris.
>>
>> Please report back with your findings, I've been wondering how it
>> would perform under load.
>>
>> Best of luck with it,
>>
>> Thomas Rasmussen
>
> We use Apache 2.2 with the event MPM. This configuration is immune to
> slowloris, as it was designed (several years before 'slowloris' came
> along) to solve that exact problem.

>
> On 1. okt. 2009, at 10.59, Tom Evans wrote:
>
>  On Thu, 2009-10-01 at 02:40 +0200, Thomas Rasmussen wrote:
>>
>>> Martin Turgeon wrote:
>>>
>>>> Hi list!
>>>>
>>>> We tested mod_antiloris 0.4 and found it quite efficient, but before
>>>> putting it in production, we would like to hear some feedback from
>>>> freebsd users. We are using Apache 2.2.x on Freebsd 6.2 and 7.2. Is
>>>> anyone using it? Do you have any other way to patch against Slowloris
>>>> other than putting a proxy in front or using the HTTP accept filter?
>>>>
>>>> Thanks for your feedback,
>>>>
>>>> Martin
>>>> _______________________________________________
>>>> freebsd-security@... mailing list
>>>> http://lists.freebsd.org/mailman/listinfo/freebsd-security
>>>> To unsubscribe, send any mail to
>>>> "freebsd-security-unsubscribe@..."
>>>>
>>> Hello,
>>>
>>> I am using it succesfully although not under any serious load, same
>>> Apache and FreeBSD versions. I found it easy (compared to the
>>> alternatives) and efficient, and no I don't know of any other ways of
>>> blocking the attack, short of using Varnish or similar. However,
>>> accf_http doesn't help at all, since HTTP POST requests bypass the
>>> filter. HTTP POST can be enabled by passing the -httpready switch to
>>> Slowloris.
>>>
>>> Please report back with your findings, I've been wondering how it
>>> would perform under load.
>>>
>>> Best of luck with it,
>>>
>>> Thomas Rasmussen
>>>
>>
>> We use Apache 2.2 with the event MPM. This configuration is immune to
>> slowloris, as it was designed (several years before 'slowloris' came
>> along) to solve that exact problem.
>>
>
> Without SSL, I presume?
>
> /Eirik
>
> _______________________________________________
> freebsd-security@... mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe@...
> "
>

> On 1. okt. 2009, at 10.59, Tom Evans wrote:
>
> > On Thu, 2009-10-01 at 02:40 +0200, Thomas Rasmussen wrote:
> >> Martin Turgeon wrote:
> >>> Hi list!
> >>>
> >>> We tested mod_antiloris 0.4 and found it quite efficient, but before
> >>> putting it in production, we would like to hear some feedback from
> >>> freebsd users. We are using Apache 2.2.x on Freebsd 6.2 and 7.2. Is
> >>> anyone using it? Do you have any other way to patch against  
> >>> Slowloris
> >>> other than putting a proxy in front or using the HTTP accept filter?
> >>>
> >>> Thanks for your feedback,
> >>>
> >>> Martin
> >>> _______________________________________________
> >>> freebsd-security@... mailing list
> >>> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> >>> To unsubscribe, send any mail to
> >>> "freebsd-security-unsubscribe@..."
> >> Hello,
> >>
> >> I am using it succesfully although not under any serious load, same
> >> Apache and FreeBSD versions. I found it easy (compared to the
> >> alternatives) and efficient, and no I don't know of any other ways of
> >> blocking the attack, short of using Varnish or similar. However,
> >> accf_http doesn't help at all, since HTTP POST requests bypass the
> >> filter. HTTP POST can be enabled by passing the -httpready switch to
> >> Slowloris.
> >>
> >> Please report back with your findings, I've been wondering how it
> >> would perform under load.
> >>
> >> Best of luck with it,
> >>
> >> Thomas Rasmussen
> >
> > We use Apache 2.2 with the event MPM. This configuration is immune to
> > slowloris, as it was designed (several years before 'slowloris' came
> > along) to solve that exact problem.
>
> Without SSL, I presume?
>
> /Eirik
>

> "The bad news is that it can indeed take a badly-configured apache
> server down, and the worse news is that that includes a low-traffic
> out-of-the box configuration.  Even with the Event MPM, slowloris can
> tie up one worker thread per connection."
>
>
>
>
> for sure
>

> On Thu, 2009-10-01 at 19:46 +0100, István wrote:
> > "The bad news is that it can indeed take a badly-configured apache
> > server down, and the worse news is that that includes a low-traffic
> > out-of-the box configuration.  Even with the Event MPM, slowloris can
> > tie up one worker thread per connection."
> >
> >
> >
> >
> > for sure
> >
>
> It doesn't tie up one thread, one thread is partially occupied by
> waiting for the slowloris connection to finish sending the request. That
> thread can still handle other connections that are sending requests. In
> our tests, running a couple of slowloris instances against event MPM had
> virtually no effect.
>
> Cheers
>
> Tom
>
>

> Martin Turgeon wrote:
>> Hi list!
>>
>> We tested mod_antiloris 0.4 and found it quite efficient, but before
>> putting it in production, we would like to hear some feedback from
>> freebsd users. We are using Apache 2.2.x on Freebsd 6.2 and 7.2. Is
>> anyone using it? Do you have any other way to patch against Slowloris
>> other than putting a proxy in front or using the HTTP accept filter?
>>
>> Thanks for your feedback,
>>
>> Martin
>> _______________________________________________
>> freebsd-security@... mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-security
>> To unsubscribe, send any mail to
>> "freebsd-security-unsubscribe@..."
> Hello,
>
> I am using it succesfully although not under any serious load, same
> Apache and FreeBSD versions. I found it easy (compared to the
> alternatives) and efficient, and no I don't know of any other ways of
> blocking the attack, short of using Varnish or similar. However,
> accf_http doesn't help at all, since HTTP POST requests bypass the
> filter. HTTP POST can be enabled by passing the -httpready switch to
> Slowloris.
>
> Please report back with your findings, I've been wondering how it
> would perform under load.
>
> Best of luck with it,
>
> Thomas Rasmussen
>

> Thomas Rasmussen a écrit :
>> Martin Turgeon wrote:
>>> Hi list!
>>>
>>> We tested mod_antiloris 0.4 and found it quite efficient, but before
>>> putting it in production, we would like to hear some feedback from
>>> freebsd users. We are using Apache 2.2.x on Freebsd 6.2 and 7.2. Is
>>> anyone using it? Do you have any other way to patch against
>>> Slowloris other than putting a proxy in front or using the HTTP
>>> accept filter?
>>>
>>> Thanks for your feedback,
>>>
>>> Martin
>>> _______________________________________________
>>> freebsd-security@... mailing list
>>> http://lists.freebsd.org/mailman/listinfo/freebsd-security
>>> To unsubscribe, send any mail to
>>> "freebsd-security-unsubscribe@..."
>> Hello,
>>
>> I am using it succesfully although not under any serious load, same
>> Apache and FreeBSD versions. I found it easy (compared to the
>> alternatives) and efficient, and no I don't know of any other ways of
>> blocking the attack, short of using Varnish or similar. However,
>> accf_http doesn't help at all, since HTTP POST requests bypass the
>> filter. HTTP POST can be enabled by passing the -httpready switch to
>> Slowloris.
>>
>> Please report back with your findings, I've been wondering how it
>> would perform under load.
>>
>> Best of luck with it,
>>
>> Thomas Rasmussen
>>
> Hi everyone,
>
> We haven't put mod_antiloris in production yet, but I wrote this
> little shell script to protect us against distributed attack. It's
> running every minutes in crontab. It checks for any IP with more than
> 100 connections in FIN_WAIT_2 state and block those IP in PF.
>
> #!/bin/sh
>
> /usr/bin/netstat -nfinet | grep FIN_WAIT_2 > netstat.out
>
> /usr/local/sbin/expiretable -t 300 slowloris
>
> for ip in `awk '{print $5}' netstat.out | awk -F. '{print
> $1"."$2"."$3"."$4}' | sort | uniq` ; do
>        if [ `grep -c $ip netstat.out` -gt 100 ] ; then
>                pfctl -t slowloris -Ta $ip 2> /dev/null
>        fi
> done
>
> Did anyone have any comments on the script itself or the method used
> to detect the attackers?
>
> Thanks for your input,
>
> Martin
>