Hi,

I have a web server which has CentOS Linux 2.6.18-028stab059.6-ent kernel and Apache 1.3.37 running on it.

2 days back I got one script to test DoS attack on website. It is called slowloris.pl from http://ha.ckers.org/slowloris/

I run that script against my server and it worked. It stopped my website for some time. That time all other services like SSH were working fine.

Can anybody suggests any configuration changes at Apache and OS/Kernel level to prevent from this type of attack ?

Currently I am using following settings:

Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 5
MinSpareServers 5
MaxSpareServers 10
StartServers 5
MaxClients 150
MaxRequestsPerChild 0

Then Kernel settings are like :
tcp_keepalive_time 7200
tcp_keepalive_time 9
tcp_keepalive_intvl 75
tcp_syn_retries 5
tcp_synack_retries 5
tcp_fin_timeout 60

--
Regards
NeeleshG

The document itself suggest two options: using a webserver that's not affected or using a proxy in front of the webserver. Since the attack initiates proper TCP maybe iptables modules like recent or hashlimit could help limit requests per source.

that script you ran will take down any web site since it uses http request and stop the packets being send to the other clients so and that script can't be good to see if your website can stand up to DDOS, also to protect against a DDOS attacks is to write a script that when many connections are connected and then they all ask for many request i would disconnect all them, that is the script i wrote and use and it works very well (**Tested against 3 DDOS and no crashes or failures**)

Maybe you can limit the number of conections for seconds whit the cband module for apache 2. I used it for limit the speed but maybe you can use it for limit the number of requests.



The CBandRemoteSpeed is like the CBandSpeed directive, but it sets limits for any individual user (as compared to the overall settings made by CBandSpeed).

Hi,

Thanks for information.
Can you provide me that script as an example please ?

Regards
Neelesh

Thanks everybody.

Regards
Neelesh

The script may work for the script creator and in relation to this type of attack but 0) running a script if you don't know what the script does is a liability itself and 1) anything interpreted will itself require resources which may or may not work when your webservers resources are already beyond operational limits. On top of that the script creator says the script "works very well" saying it's tested but gives no irrefutable proof.

I'd like to remind all looking for "fixes" that in reality no DoS or DDoS will ever be "fixed" by running a script. If you are, or want to be, a knowledgable admin you prepare before the attack happens by reading solutions documented on official outlets like CERT, SANS, CIAC, SecurityFocus and the various GNU/Linux portals. In short combat-proven solutions require close communication with and help from your hosting or upstream network provider. Sure there are ways to combat it and still be able to serve content but those are not turnkey, require planning and a lot of cash.

Yep you are right.
Hey I have installed ConfigServer Security & Firewall.
Which is very cool. see this http://www.configserver.com/cp/csf.html

And sure I will keep in touch with all those CERT... security websites

Thanks all of you.

Regards
Neelesh

Installing a firewall is nice, especially if you didn't have one. But you haven't commented on what you actually did to stop this DoS attack. Installing a firewall alone isn't gonna cut it.

Currently I have not done anything to stop this DoS attack.
However I am trying to configure CSF and will try mod_evasive module.

Regards
NeeleshG