Using Varnish to protect Apache against slowloris

From TykWiki
Revision as of 20:24, 22 June 2009 by Tykling (talk | contribs) (New page: In June 2009 a tool called [http://ha.ckers.org/blog/20090617/slowloris-http-dos/ slowloris] was created that makes it trivial for any script kiddie to tie up all the available connections...)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search

In June 2009 a tool called slowloris was created that makes it trivial for any script kiddie to tie up all the available connections on Apache and other web servers.

I downloaded the script and sure enough, I was able to take down all the Apache servers I manage (including the one you are reading this on) from an ADSL line (the servers are on much bigger links). So while this attack has been known for a long time, the fact that slowloris has been released makes it likely in my opinion that this will be exploited in the near future.

I set out to find an effective way to mitigate the attack, and Varnish came up as a solution among many others suggested around the web.

  • Tweaking Apache timeout settings
  • Using the accf_http kernel module has been suggested as an effective mitigation
  • pf overload techniques has been suggested (say, block an IP if it opens more than 50 connections in five seconds to the Apache port)
  • Setup lighttpd or Varnish infront of the Apache server, and proxy only valid requests.

THIS ARTICLE IS NOT FINISHED