Stop Slowloris and other Slow Post/Get type Attacks on Apache 2.4 with mod_qos
Apache 2.4 mod_qos
Slowloris is designed so that a single machine (probably a Linux/UNIX machine since Windows appears to limit how many sockets you can have open at any given time) can easily tie up a typical web server or proxy server by locking up all of it’s threads as they patiently wait for more data. Some servers may have a smaller tolerance for timeouts than others, but Slowloris can compensate for that by customizing the timeouts.
There is an added function to help you get started with finding the right sized timeouts as well. As a side note, Slowloris does not consume a lot of resources so modern operating systems don’t have a need to start shutting down sockets when they come under attack, which actually in turn makes Slowloris better than a typical flooder in certain circumstances.
Think of Slowloris as the HTTP equivalent of a SYN flood.
Most linux distros with this mod install is really similar, but I will be covering how to install/Enable it for apache 2.4 on Ubuntu and how you should configure it to work best.
Quick Install Instructions of libapache2-mod-qos on Ubuntu Server. It’s Super Easy! simply click on Copy button to copy the command and paste into your command line terminal using built-in APT package manager.
See below for quick step by step instructions of SSH commands, Copy/Paste to avoid miss-spelling or accidently installing a different package.
Quick Install Steps:
log into your ssh and copy and paste these commands.
sudo apt-get update -y
sudo apt-get install -y libapache2-mod-qos
After installing the module, it will register and enable itself automatically. Quality of service implements control mechanisms to provide different priority to different users, applications, and data connections. It is used to guarantee a certain level of performance to data resources. The term quality of service is often used in the field of wide area network protocols (e.g. ATM) and telephony (e.g. VoIP), but rarely in conjunction with web applications. mod_qos is a quality of service module for the Apache web server implementing control mechanisms that can provide different levels of priority to different HTTP requests. Example situations where web applications require QoS:
- More resources are consumed if request processing by an application takes a long time, e.g. when request processing includes time consuming database queries.
- Oversubscription of link capabilities due to many concurrent clients uploading or downloading data.
- Penetration of the web server by attackers (DoS).
For more information about the mod_qos module of Apache, please visit the official website at SourceForge here.
This is my config I use for a lot of large servers and seems to do the job with conjunction of CSF LFD and Crowdsec.
# handles connections from up to 200000 different IPs
# will allow only 12 connections per IP
# limits the connections for this virtual host:
# maximum number of active TCP connections is limited to 256
# disables keep-alive when 70% of the TCP connections are occupied:
# minimum request/response speed (deny slow clients blocking the server,
# ie. slowloris keeping connections open without requesting anything):
#QS_SrvMinDataRate 150 1200
# and limit request header and body (carefull, that limits uploads and
# post requests too):
# HTTP response code to send to clients that breach mod_qos DoS mitigation rules
# Envrionment variables
SetEnvIf Remote_Host “(.)” QS_EventRequest=$1
SetEnvIf Remote_Host “(.)” QS_Event=$1
SetEnvIf Remote_Host “(.*)” QS_Block=$1
# Maximum requests allowed to / per second, per IP address
# Maximum requests allowed to / per ip address, per x seconds (number of requests, number of seconds)
QS_ClientEventBlockCount 2000 120
#Whitelist server ip below
#Example QS_SrvMaxConnExcludeIP 22.214.171.124
Now just in case you may need to enable the module and restart apache, if so just run command:
a2enmod qos /etc/init.d/apache2 restart