How to Mitigate Slowloris Attacks


Last modified: March 30, 2022

Overview

This document provides several methods to mitigate the impact of Slowloris attacks.

A Slowloris attack is a denial-of-service attack that attempts to open a large number of connections on a web server. The attacker then holds those connections open for as long as possible. A web server can only serve data to a finite number of clients. Once the attack consumes all of the available connections, no other clients can reach the site.

For more information about Slowloris attacks, read Wikipedia’s Slowloris article.

The mod_reqtimeout module

This method uses the mod_reqtimeout Apache module to mitigate a Slowloris attack. We recommend this method.

To use this module, install it in the Apache Modules section of WHM’s EasyApache 4 interface (WHM >> Home >> Software >> EasyApache 4).

When you install this module, it creates the /etc/apache2/conf.modules.d/375_mod_reqtimeout.conf file with the following configuration:

1
2
3
# Enable mod_reqtimeout
LoadModule reqtimeout_module modules/mod_reqtimeout.so                      
RequestReadTimeout handshake=0 header=20-40,MinRate=500 body=20,MinRate=500

Note:
The number at the beginning of the name of the .conf file may vary.

Place any configurations that you wish to use the mod_reqtimeout module in the /etc/apache2/conf.d directory.

Your include file should resemble the following configuration to mitigate Slowloris attacks:

1
2
3
<IfModule mod_reqtimeout.c>
   RequestReadTimeout header=20-40 MinRate=500 body=20-40 MinRate=500
</IfModule>

This example configuration will enforce the following behavior:

  • The system will wait up to 20 seconds for header data. As long as the client sends header data at a rate of 500 bytes per second, the server will wait up to 40 seconds for the headers to complete.
  • The system will wait up to 20 seconds for body data. As long as the client sends header data at a rate of 500 bytes per second, the server will wait up to 40 seconds for the body of the request to complete.

For more information, read Apache’s ModReqtimeout documentation.

The mod_qos module

You can also use the mod_qos module to mitigate Slowloris attacks.

To use this module, install it in the Apache Modules section of WHM’s EasyApache 4 interface (WHM >> Home >> Software >> EasyApache 4).

Your /etc/apache2/conf.d/qos.conf file should resemble the following configuration to mitigate Slowloris attacks:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
<IfModule qos_module>
   # handle connections from up to 100000 different IPs
   QS_ClientEntries 100000

   # allow only 50 connections per IP
   QS_SrvMaxConnPerIP 50

   # Some examples for mod qos show MaxClients/MaxRequestWorkers. Do not set those here,
   # instead set MaxRequestWorkers in WHM

   # disables keep-alive when 180 (70%) TCP connections are occupied
   QS_SrvMaxConnClose 180

   # minimum request/response speed
   # (deny slow clients blocking the server, keeping connections open without requesting anything
   QS_SrvMinDataRate 150 1200
</IfModule>

This example configuration will enforce the following behavior:

  • QS_ClientEntries — This setting handles connections from a maximum of 100,000 IP addresses.
  • QS_SrvMaxConnPerIP — This setting limits each IP address to a maximum number of 50 connections.
  • QS_SrvMaxConnClose — This setting disables the KeepAlive function when at least 180 connections exist.
  • QS_SrvMinDataRate — This setting requires a minimum of 150 bytes per second per connection, and limits the connection to 1200 bytes per second when the server reaches the MaxRequestWorkers limit.

For more information, read the mod_qos documentation.

Additional Documentation