We're here to help We're here to help

MONT Hardware Appliance: Slowloris Attack Mitigation

Created: Updated:

What is Slowloris?

Slowloris is a denial-of-service (DoS) attack tool that was first described in the “Programming Model Attacks” section of Apache Security in 2005.

It can attack a number of web servers that use threaded processes.

Slowloris attempts to keep as many connections to the attacked server open until numerous or all possible connections are occupied.

https://en.wikipedia.org/wiki/Slowloris_(computer_security)

https://web.archive.org/web/20090822001255/http://ha.ckers.org/slowloris/

 

Effect/Severity

As soon as Slowloris has occupied many or even all threads of the attacked server, the service of the web server is blocked for other clients.

The server is then switched off for operation and shut down for service.

 

Demo/Proof of Concept

https://github.com/felmoltor/SlowlorisChecker

https://web.archive.org/web/20121010105737/https://community.qualys.com/blogs/securitylabs/2011/07/07/identifying-slow-http-attack-vulnerabilities-on-web-applications

In the demo/test performed with the default Hardware appliance, the above script produced the following result:

## PROBABLY Vulnerable to slowloris!

After the changes below the result should be „NOT vulnerable to slowloris“.

 

Action

The Hardware Appliance is shipped with the Apache module “mod_reqtimeout” installed, but not enabled. Thus, there is two small changes that need to be done to the configuration.

To do this, you need to:

  • SSH into the Appliance, this will take you to the right VM to move on, vgw
  • navigate to /etc/httpd
  • edit the file httpd.conf with vim
  • around line 97, you will find this out commented instruction:
    LoadModule reqtimeout_module /usr/lib/httpd/modules/mod_reqtimeout.so
  • remove the ‘#’ at the beginning of the line so that the module will actually by loaded
  • on the next line, we can add the following:
    RequestReadTimeout header=20-40,MinRate=500 body=20-40,MinRate=500
  • these are the default values as per the examples. if need be, please refer to the documentation of mod_reqtimeout to tweak these parameters.
  • save the changes
  • Restart the Apache Server with the command "systemctl restart httpd"

To check your entries run ‚apachectl -t‘

The following log line has been there before, it is not an indication of a problem, but a false alarm.

AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message

In many instructions, the above instruction is followed by a

<IfModule mod_reqtimeout.c>

safeguard.

 

Side Effects

As per the documentation of the module:
https://httpd.apache.org/docs/2.4/mod/mod_reqtimeout.html

In exceptional cases, the account may be switched off by the “mod_reqtimeout” module. This can happen if not enough data has been transferred from the processes.

A restart of the Hardware Appliance is then necessary.

 

General Comments

As for all „manual“ configuration file changes within ‚/etc‘, it applies that these do survive reboot, backup&restore, updates but they might be in the way for upstream updates.