mod_noloris: defending against DoS

Jul 1

Posted by

The slowloris script kicked off a lot of discussion, including my own recent blog piece.  A range of defences have been discussed, and deployed by individual users.  But I think this discussion highlights the need for a proper response from the apache community.  Not just in the future, but now: something users of at least our current stable releases (2.2.x) can deploy.

So today I committed a new module mod_noloris to svn.  mod_noloris works by taking snapshots of the total number of connections in READ state per-client, and denying new connections to clients having already too many such connections.  Configurable parameters are the interval between snapshots (default: 10 seconds), the number of connections permitted per client (default 50), and a “whitelist” of trusted clients that will be allowed unlimited connections so you don’t, for example, lock out users of your company’s proxy on your company site.

This is work in progress, and far from perfect.  One issue is that an attack won’t be detected until the next snapshot, and that still leaves an attacker scope to DoS a small server with a small number of slowloris clients.  But having it in the repository should attract eyes to it, and help it mature.

Posted on July 1, 2009, in apache, security. Bookmark the permalink. 4 Comments.

  1. Owen Boyle | July 8, 2009 at 12:56 pm

    Greetings,

    First off, thanks x 1e6 for making the effort to come up with a defence against this highly public exploit – whether it amounts to anything or not in the real world, it is extremely helpful to have at least an option for when “the Management” ask “What’s being done?”.

    My comment is rather mundane; the latest version of mod_noloris.c on SVN (791498) uses a method in scoreboard.h (ap_get_scoreboard_worker_from_indexes) but this method is not available in the version of scoreboard.h that ships with 2.2.11 (the current release).

    To get it to compile, I reverted that single method call:
    138c138
    ws = ap_get_scoreboard_worker(i,j);

    First question: Do you think that’ll work?

    Second question: Given that most users will not have 2.3+ header files, would it be possible to produce a version that is 2.2.x compatible?

    Rgds,
    Owen

  2. niq | July 9, 2009 at 8:43 am

    Hehe.

    I originally wrote it for 2.2 for precisely that reason, without realising the API had been broken. See http://marc.info/?l=apache-httpd-dev&m=124689765715845&w=2

  3. arammi jones | July 15, 2009 at 9:33 pm

    Hi,

    The latest build with gcc 4.1 and apache 2.2.3 errors whereas the July first version did not…. should there be a concern?
    mod_noloris.c: In function ‘noloris_monitor’:
    mod_noloris.c:138: warning: assignment makes pointer from integer without a cast

    Rgds,
    Aram

  4. niq | July 17, 2009 at 3:48 pm

    Yes, that is a concern. Someone broke the API between 2.2 and trunk, so the function call on line 138 is different.

    Just thinking how best to deal with this. Technically speaking, I should just reverse the change so that the same API works with 2.2 and with current. The other option is to mess about with #ifdef.

    See also http://marc.info/?t=124689182400010&r=1&w=2

Leave a comment

  • Privacy