Stop Slowloris and other Slow Post/Get type Attacks on Apache 2.4 with mod_qos

Apache 2.4 mod_qos

Slowloris is designed so that a single machine (probably a Linux/UNIX machine since Windows appears to limit how many sockets you can have open at any given time) can easily tie up a typical web server or proxy server by locking up all of it’s threads as they patiently wait for more data. Some servers may have a smaller tolerance for timeouts than others, but Slowloris can compensate for that by customizing the timeouts.

There is an added function to help you get started with finding the right sized timeouts as well. As a side note, Slowloris does not consume a lot of resources so modern operating systems don’t have a need to start shutting down sockets when they come under attack, which actually in turn makes Slowloris better than a typical flooder in certain circumstances.

Think of Slowloris as the HTTP equivalent of a SYN flood.

Most linux distros with this mod install is really similar, but I will be covering how to install/Enable it for apache 2.4 on Ubuntu and how you should configure it to work best.

Quick Install Instructions of libapache2-mod-qos on Ubuntu Server. It’s Super Easy! simply click on Copy button to copy the command and paste into your command line terminal using built-in APT package manager.

See below for quick step by step instructions of SSH commands, Copy/Paste to avoid miss-spelling or accidently installing a different package.

Quick Install Steps:

log into your ssh and copy and paste these commands.

Step 1

sudo apt-get update -y

Step 2

sudo apt-get install -y libapache2-mod-qos

Boom pretty simple. Centos Redhat and others may use yum instead of apt-get just depends the system.

After installing the module, it will register and enable itself automatically. Quality of service implements control mechanisms to provide different priority to different users, applications, and data connections. It is used to guarantee a certain level of performance to data resources. The term quality of service is often used in the field of wide area network protocols (e.g. ATM) and telephony (e.g. VoIP), but rarely in conjunction with web applications. mod_qos is a quality of service module for the Apache web server implementing control mechanisms that can provide different levels of priority to different HTTP requests. Example situations where web applications require QoS:

More resources are consumed if request processing by an application takes a long time, e.g. when request processing includes time consuming database queries.
Oversubscription of link capabilities due to many concurrent clients uploading or downloading data.
Penetration of the web server by attackers (DoS).

For more information about the mod_qos module of Apache, please visit the official website at SourceForge here.

This is my config I use for a lot of large servers and seems to do the job with conjunction of CSF LFD and Crowdsec.

<IfModule qos_module>
# handles connections from up to 200000 different IPs

QS_ClientEntries 200000

# will allow only 12 connections per IP

QS_SrvMaxConnPerIP 12

QS_SrvRequestRate 120

# limits the connections for this virtual host:
QS_SrvMaxConn 800

# maximum number of active TCP connections is limited to 256

MaxClients 256
# disables keep-alive when 70% of the TCP connections are occupied:

QS_SrvMaxConnClose 180
# minimum request/response speed (deny slow clients blocking the server,
# ie. slowloris keeping connections open without requesting anything):

#QS_SrvMinDataRate 150 1200
# and limit request header and body (carefull, that limits uploads and
# post requests too):

LimitRequestFields 40

# HTTP response code to send to clients that breach mod_qos DoS mitigation rules
QS_ErrorResponseCode 429

# Envrionment variables
SetEnvIf Remote_Host “(.)” QS_EventRequest=$1
SetEnvIf Remote_Host “(.)” QS_Event=$1
SetEnvIf Remote_Host “(.*)” QS_Block=$1

# Maximum requests allowed to / per second, per IP address
QS_ClientEventPerSecLimit 150

# Maximum requests allowed to / per ip address, per x seconds (number of requests, number of seconds)
QS_ClientEventBlockCount 2000 120

#Whitelist server ip below
#Example QS_SrvMaxConnExcludeIP 14.1.1.57
#QS_SrvMaxConnExcludeIP 7.9.54.54
#QS_SrvMaxConnExcludeIP 123:4567:203:a9d::

</IfModule>

QoS Settings

Now just in case you may need to enable the module and restart apache, if so just run command:

a2enmod qos
 /etc/init.d/apache2 restart

Luxottica - 77,093,812 breached accounts May 19, 2023

In March 2021, the world's largest eyewear company Luxoticca suffered a data breach via one of their partners that exposed the personal information of more than 70M people. The data was subsequently sold via a popular hacking forum in late 2022 and included email and physical addresses, names, genders, dates of birth and phone numbers. […]

RentoMojo - 2,185,697 breached accounts May 10, 2023

In April 2023, the Indian rental service RentoMojo suffered a data breach. The breach exposed over 2M unique email addresses along with names, phone, passport and Aadhaar numbers, genders, dates of birth, purchases and bcrypt password hashes.

MEO - 8,227 breached accounts April 24, 2023

In early 2023, a corpus of data sourced from the New Zealand based face mask company MEO was discovered. Dating back to December 2020, the data contained over 8k customer records including names, addresses, phone numbers and passwords stored as MD5 Wordpress hashes. MEO did not respond to multiple attempts to report the breach.

Terravision - 2,075,625 breached accounts April 23, 2023

In February 2023, the European airport transfers service Terravision suffered a data breach. The breach exposed over 2M records of customer data including names, phone numbers, email addresses, salted password hashes and in some cases, date of birth and country of origin. Terravision did not respond to multiple attempts by individuals period over a period […]

OGUsers (2022 breach) - 529,020 breached accounts April 14, 2023

In July 2022, the account hijacking and SIM swapping forum OGusers suffered a data breach, the fifth since December 2018. The breach contained usernames, email and IP addresses and passwords stored as argon2 hashes. A total of 529k unique email addresses appeared in the breach.

The Kodi Foundation - 400,635 breached accounts April 13, 2023

In February 2023, The Kodi Foundation suffered a data breach that exposed more than 400k user records. Attributed to an account belonging to "a trusted but currently inactive member of the forum admin team", the breach involved the administrator account creating a database backup that was subsequently downloaded before being sold on a hacking forum. […]

Sundry Files - 274,461 breached accounts March 31, 2023

In January 2022, the now defunct file upload service Sundry Files suffered a data breach that exposed 274k unique email addresses. The data also included usernames, IP addresses and passwords stored as salted SHA-256 hashes.

Leaked Reality - 114,907 breached accounts March 31, 2023

In January 2022, the now defunct uncensored video website Leaked Reality suffered a data breach that exposed 115k unique email addresses. The data also included usernames, IP addresses and passwords stored as either MD5 or phpass hashes.

TheGradCafe - 310,975 breached accounts March 24, 2023

In February 2023, the grad school admissions search website TheGradCafe suffered a data breach that disclosed the personal records of 310k users. The data included email addresses, names and usernames, genders, geographic locations and passwords stored as bcrypt hashes. Some records also included physical address, phone number and date of birth. TheGradCafe did not respond […]

Shopper+ - 878,290 breached accounts March 11, 2023

In March 2023, "Canada's online shopping mall" Shopper+ disclosed a data breach discovered on a public hacking forum. The breach dated back to September 2020 and included 878k customer records with email and physical addresses, names, phone numbers and in some cases, genders and dates of birth.