I'm pretty sure I was under Slowloris attack. I set up an iptables rule to limit max connections to my webserver, but I'd like to know how I can figure out if it really was a Slowloris attack, and if so, how I can find the IP address of the attacker. I'd really like to pass the logs on to his ISP.
Thanks
Best Answer
Slowloris attacks work by sending request data as slow as possible. Therefore, if you could measure the bandwidth use per ip address then if it's below some threshold, (found by measuring the bandwidth in a known slowloris attack) then you know you are under attack.
To prevent attacks, I'd suggest switching your webserver software. I use cherokee which is resistant in it's default configuration. I can't ascertain whether nginx is vulnerable, but lighttpd is. I also can't be sure that using a resistant webserver as a proxy will make any difference.
Here's more information: http://ha.ckers.org/blog/20090617/slowloris-http-dos/