Is this a slowloris attack?

[maxtor]

Apache flood causing CPU resources to lag . the image talks by itself:
http://i42.tinypic.com/jtxj0l.png

im using nginxcp + csf + memcached(php) .

i have tried mod_qos ,htaccess with mod_rewrite rules ,csf connlimit and portflood, seems to help a bit.
also i cant make mod_antiloris to work. im using centos 6.1 x64.

how to block this attack?

maxtor Reviewed by maxtor on 20th Dec 2011. Is this a slowloris attack? Apache flood causing CPU resources to lag . the image talks by itself: http://i42.tinypic.com/jtxj0l.png im using nginxcp + csf + memcached(php) . i have tried mod_qos ,htaccess with mod_rewrite rules ,csf connlimit and portflood, seems to help a bit. also i cant make mod_antiloris to work. im using centos 6.1 x64. how to block this attack? Rating: 5

[DLow]

Just incase you didnt know Slowloris holds connections open by sending partial HTTP requests. It continues to send subsequent headers at regular intervals to keep the sockets from closing. In this way webservers can be quickly tied up. In particular, servers that have threading will tend to be vulnerable, by virtue of the fact that they attempt to limit the amount of threading they'll allow. Slowloris must wait for all the sockets to become available before it's successful at consuming them, so if it's a high traffic website, it may take a while for the site to free up it's sockets. So while you may be unable to see the website from your vantage point, others may still be able to see it until all sockets are freed by them and consumed by Slowloris.

Do as i say below:

Increase maxclients in apache or nginx it should help some

also run

iptables -I INPUT -p tcp --dport 80 -m connlimit --connlimit-above 20 --connlimit-mask 40 -j DROP

It will limit one host to 20 connections to port 80 only

if you have mod Qos installed take a look at your config adjust it as so.

## QoS Settings
# handles connections from up to 100000 different IPs
QS_ClientEntries 100000

# will allow only 50 connections per IP
QS_SrvMaxConnPerIP 50

# maximum number of active TCP connections is limited to 256
MaxClients 256

# disables keep-alive when 70% of the TCP connections are occupied:
QS_SrvMaxConnClose 180

# minimum request/response speed (deny slow clients blocking the server):
QS_SrvMinDataRate 150 1200

# and limit request header and body:
LimitRequestFields 30
QS_LimitRequestBody 102400




You may or may not have it installed how ever.

[maxtor]

after running this:

Code: 

[~]# iptables -I INPUT -p tcp --dport 80 -m connlimit --connlimit-above 20 --connlimit-mask 40 -j DROP

i get this:

Code: 

iptables v1.4.7: --connlimit-mask must be between 0 and 32
Try `iptables -h' or 'iptables --help' for more information.

also about mod_qos i have the excact same settings

Code: 

LoadModule qos_module /usr/lib/apache2/modules/mod_qos.so
Include "/usr/local/apache/conf/qos.conf"

Some times when i refresh my page, it returns nothing. its annoying while you post. also CT_LIMIT somehow bans some ips. i have set it to 50.

[DLow]

Also, How do you have nGinx setup ? i've never seen a Slowloris attack effect a server really if your runing nGinx the correct way

[maxtor]

Also, How do you have nGinx setup ? i've never seen a Slowloris attack effect a server really if your runing nGinx the correct way

i have nginxcp v3.0 from here:
http://nginxcp.com/forums/Thread-ngi...-v3-0-released

* i was using cloudflare too, with set_real_ip to view IPs, but proxies are making false triggers at csf.
currently i have removed cloudflare.

i also have sphinx installed for search engine.

varnish or mod_antiloris will solve the problem? havent tried yet.

[DLow]

@ maxtor

is it a virtual-machine ?

[maxtor]

no its fully dedicated with ONLY one domain . and apache goes easily down. its too many IPs.

i have added also this settings at nginx (for slowloris):

Code: 

 limit_zone   slowdown  $binary_remote_addr  1m;
 limit_conn   slowdown 16;

[DLow]

Do you have remote control of the server

ie: remote reboot/ power on / off

Which data center ? are you on 10mb,100mb or 1gige ?

Give me more information server specs etc ill be able to help you better.

[nichole]

It looks like a http get attack, if you need resolving it let me know.

[maxtor]

90% of the attacking IPs are already in spamhaus SBL and PBL blacklists. is it a botnet ? it is flooding a specific php file each time.

im using this dedi:
Intel Quad CPU Q6600 @ 2.40GHz
4GB RAM
100mbit
Centos 6.1 x64

awknet.com datacenter.

i can remote boot and on/off .
all settings are done via ssh only.

site is using SMF bulletin board.