I detected few days ago that my server was under slowloris attack (I found a lot of "-" 408 0 "-" "-" values in my access.log).
I changed my configuration like this:
In mod_reqtimeout:
RequestReadTimeout header=5-20,minrate=20
I installed mod_qos and configured it like that:
QS_SrvMaxConnPerIP 50
QS_SrvMinDataRate 120 1500
Is it enough?
Most of the available tutorial just leave the default values in the configuration files.
I noticed that now the "-" 408 0 "-" values are increased a lot. I suppose that's good because it means that more connection are detected as malicious and it means that they are closed befaure they can "damage" the server. Right?
Can I do something more? Blocking the ips?…
Thanks in advance for any feedbacks!
Best Answer
Reading this bug report, I found out that it says you should not use the
QS_SrvMinDataRate
option because:They recommend that you only use the
RequestReadTimeout
option (At least on Apache 2.4+, but since theRequestReadTimeout
option was available before, there was probably no need for the QoS options on that one).It is not unlikely that the cleanup taking too long was causing those 408 errors. But that's just speculation on my part.
Note that Slowloris is difficult to get rid off unless you can block the IP address in your firewall. Something Apache2/QoS does not offer, unfortunately. It's very easy for the attacker to create a new connection when it receives the 408 and thus eat another one of your open Apache2 slot.