

Defending Against the New DOS Tool Slowloris - jcsalterego
http://www.codexon.com/posts/defending-against-the-new-dos-tool-slowloris

======
Unomi
mod_limitipconn doesn't work, because there is no completed request for a
connection. There was a handshake and part of the request is sent, but does
Apache see that as a connection? I think not.

Apache (and any other server) should expect a full request within a time
frame. A headerset should not take long to load over a normal network. If the
header is not completed after a while, disconnect the request. This also helps
for requests that have not been setup for a DOS too.

I'm not an expert, but for me, I would look in to the headercompletion part
and not into limiting connections or whatever. If I would have the knowledge,
I would try to hack it in the Apache sourcecode, but I can't.

\- Unomi -

~~~
pmjordan
_mod_limitipconn doesn't work, because there is no completed request for a
connection. There was a handshake and part of the request is sent, but does
Apache see that as a connection? I think not._

You're confusing this with a SYN flood, which works at the IP level, not the
userspace level, and for which a connection limit in user space would indeed
be ineffective.

In this attack, data is already transmitted, but it is incomplete, so the
server can't act upon the request, and apache does hold that connection.

More info/discussion to the attack here:

<http://news.ycombinator.com/item?id=665741>

