Mitigating Slow Loris attacks on Apache and Nginx

Robert "RSnake" came up with this attack. It does consist in opening as many connections as you can with a server, and keeping them open as long as you can. The objective is to occupy all the available connections on the target, making it unable to serve other visitors. More information about it on wikipedia.

For Apache, there's a special module mod_antiloris which I haven't tried yet. What I'm using for this example is mod_reqtimeout. This is the configuration on the vhost conf file:

<IfModule mod_reqtimeout.c>
    RequestReadTimeout header=5-10,MinRate=500 body=8,MinRate=500
</IfModule>

This will timeout the headers reception after 5 seconds, but if the client still sending data this will increase 1 second to the timeout every 500 bytes sent per second - up to a maximum of 10 seconds. The body will timeout after 8 seconds, but if the client still sending data at a minimum rate of 500 bytes per second, an extra second will be added to the timeout - unlimited in this case, for if we have a big upload coming in.

To finish enabling this, we need to enable the module and reload apache:

$ sudo a2enmod reqtimeout
$ sudo apachectl graceful

For Nginx. I added this to my vhost configuration file:

#       Slowloris mitigation

        client_body_timeout             5s;

        client_header_timeout           5s;

        keepalive_timeout               10s;

        send_timeout                    15s;

This will make both body and header timeout at 5 seconds. Keep-alive connections will expire at 10 seconds. Also, if we talk back to the client but he is not responding we will close the connection at 15 seconds.

To enable the configuration, check nginx syntax and reload the service:

$ sudo nginx -t && sudo service nginx reload

These parameters works for my setup, you might need to change them depending on your environment.

Bibliography:

Wikipedia page
Apache documentation on mod_reqtimeout
Slowloris original code
Nginx manual