How to Mitigate Slowloris Attacks
Last modified: February 8, 2024
Overview
This document provides several methods to mitigate the impact of Slowloris attacks.
A Slowloris attack is a denial-of-service attack that attempts to open a large number of connections on a web server. The attacker then holds those connections open for as long as possible. A web server can only serve data to a finite number of clients. Once the attack consumes all of the available connections, no other clients can reach the site.
For more information about Slowloris attacks, read Wikipedia’s Slowloris article.
The mod_reqtimeout and mod_qos modules
We provide two Apache modules that help mitigate Slowloris attacks:
mod_reqtimeout- We recommend this module.mod_qos
Module installation and configuration
To install either module, use WHM’s EasyApache 4 interface (WHM » Home » Software » EasyApache 4). Once the you have installed your preferred module, perform the following steps to create the configuration include file:
- Log in to your server via SSH as the
rootuser. - Create the appropriate include file with the following command:
- For the
mod_reqtimeoutmodule:touch /etc/apache2/conf.d/mod_reqtimeout.conf - For the
mod_qosmodule:touch /etc/apache2/conf.d/qos.conf
- For the
- With your preferred text editor, add the following example in the include file:
- For the
/etc/apache2/conf.d/mod_reqtimeout.confinclude file:1 2 3<IfModule mod_reqtimeout.c> RequestReadTimeout header=20-40,MinRate=500 body=20-40,MinRate=500 </IfModule> - For the
/etc/apache2/conf.d/qos.confinclude file:1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17<IfModule qos_module> # handle connections from up to 100000 different IPs QS_ClientEntries 100000 # allow only 50 connections per IP QS_SrvMaxConnPerIP 50 # Some examples for mod qos show MaxClients/MaxRequestWorkers. Do not set those here, # instead set MaxRequestWorkers in WHM # disables keep-alive when 180 (70%) TCP connections are occupied QS_SrvMaxConnClose 180 # minimum request/response speed # (deny slow clients blocking the server, keeping connections open without requesting anything) QS_SrvMinDataRate 150 1200 </IfModule>
- For the
mod_reqtimeout example explanation
In the /etc/apache2/conf.d/mod_reqtimeout.conf file example in the previous section, we provided the following configuration:
|
|
In this example, the mod_reqtimeout module will enforce the following behavior:
- The system will wait up to 20 seconds for header data. As long as the client sends header data at a rate of 500 bytes per second, the server will wait up to 40 seconds for the headers to complete.
- The system will wait up to 20 seconds for body data. As long as the client sends header data at a rate of 500 bytes per second, the server will wait up to 40 seconds for the body of the request to complete.
For more information, read Apache’s ModReqtimeout documentation.
mod_qos example explanation
In the /etc/apache2/conf.d/qos.conf file example in the previous section, we provided the following configuration:
|
|
In this example, the mod_qos module will enforce the following behavior:
| Directive | Description |
|---|---|
QS_ClientEntries |
This setting handles connections from a maximum of 100,000 IP addresses. |
QS_SrvMaxConnPerIP |
This setting limits each IP address to a maximum number of 50 connections. |
QS_SrvMaxConnClose |
This setting disables the KeepAlive function when at least 180 connections exist. |
QS_SrvMinDataRate |
This setting requires a minimum of 150 bytes per second per connection, and limits the connection to 1200 bytes per second when the server reaches the MaxRequestWorkers limit. |
For more information, read the mod_qos documentation.