The slowloris script kicked off a lot of discussion, including my own recent blog piece.  A range of defences have been discussed, and deployed by individual users.  But I think this discussion highlights the need for a proper response from the apache community.  Not just in the future, but now: something users of at least our current stable releases (2.2.x) can deploy.

So today I committed a new module mod_noloris to svn.  mod_noloris works by taking snapshots of the total number of connections in READ state per-client, and denying new connections to clients having already too many such connections.  Configurable parameters are the interval between snapshots (default: 10 seconds), the number of connections permitted per client (default 50), and a “whitelist” of trusted clients that will be allowed unlimited connections so you don’t, for example, lock out users of your company’s proxy on your company site.

This is work in progress, and far from perfect.  One issue is that an attack won’t be detected until the next snapshot, and that still leaves an attacker scope to DoS a small server with a small number of slowloris clients.  But having it in the repository should attract eyes to it, and help it mature.