LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Apache - HTTP Server Prone To Slow Denial Of Service Attack (http://www.linuxquestions.org/questions/linux-security-4/apache-http-server-prone-to-slow-denial-of-service-attack-4175463938/)

smithy2010 05-29-2013 07:47 AM

Apache - HTTP Server Prone To Slow Denial Of Service Attack
 
Hello all,

Can anyone advice on how to fix “HTTP Server Prone To Slow Denial Of Service Attack”, CVE-2009-5111, http://nvd.nist.gov/.

I’ve done all that Apache recommended in http://httpd.apache.org/docs/trunk/m...eqtimeout.html, but still no joy.


Thank you in advance

Smithy

unSpawn 05-29-2013 12:46 PM

Quote:

Originally Posted by smithy2010 (Post 4961300)
no joy.

That isn't the type of response anyone can do anything with. Better (technical, clear, efficient, methodical) would have been to say something like "My Apache version is N, I've used setting X, tested with tool Y and the outcome was Z".


Quote:

Originally Posted by smithy2010 (Post 4961300)
Can anyone advice on how to fix “HTTP Server Prone To Slow Denial Of Service Attack”, CVE-2009-5111, http://nvd.nist.gov/.

Realize that mod_reqtimeout is an application layer measure (and using mod_qoS and mod_security are also mentioned BTW) and while that isn't bad you also want to check traffic at the lower network layer. Warding things off lower in the network stack, before it reaches the application, requires less resources and is therefore safer and more efficient. Next to the iptables "recent" module shown in http://www.cert.org/blogs/certcc/200...webserver.html there's also the "connlimit" and "hashlimit" modules, each with their own pros and cons, that may address the explanations in that web log post and http://en.wikipedia.org/wiki/Slowlor...owloris_attack (limiting number of connections). Limiting the minimum transfer speed as suggested could be done with the "connrate" module (negate). Apart from that, excluding putting hardware in front of the web server, it's also suggested elsewhere to use Lighttpd or Nginx (in front of it as reverse proxy?), the reason being they use the more resilient asynchronous I/O model.

smithy2010 05-30-2013 04:02 AM

Thank you for your reply.


All times are GMT -5. The time now is 11:42 AM.