Using Varnish to protect Apache against slowloris
From TykWiki
Jump to navigationJump to search
In June 2009 a tool called slowloris was created that makes it trivial for any script kiddie to tie up all the available connections on Apache and other web servers.
I downloaded the script and sure enough, I was able to take down all the Apache servers I manage (including the one you are reading this on) from an ADSL line (the servers are on much bigger links). So while this attack has been known for a long time, the fact that slowloris has been released makes it likely in my opinion that this will be exploited in the near future.
I set out to find an effective way to mitigate the attack, and Varnish came up as a solution among many others suggested around the web.
- Tweaking Apache timeout settings
- Using the accf_http kernel module has been suggested as an effective mitigation
- pf overload techniques has been suggested (say, block an IP if it opens more than 50 connections in five seconds to the Apache port)
- Setup lighttpd or Varnish infront of the Apache server, and proxy only valid requests.
THIS ARTICLE IS NOT FINISHED