unSpawn |
05-29-2013 12:46 PM |
Quote:
Originally Posted by smithy2010
(Post 4961300)
no joy.
|
That isn't the type of response anyone can do anything with. Better (technical, clear, efficient, methodical) would have been to say something like "My Apache version is N, I've used setting X, tested with tool Y and the outcome was Z".
Quote:
Originally Posted by smithy2010
(Post 4961300)
Can anyone advice on how to fix “HTTP Server Prone To Slow Denial Of Service Attack”, CVE-2009-5111, http://nvd.nist.gov/.
|
Realize that mod_reqtimeout is an application layer measure (and using mod_qoS and mod_security are also mentioned BTW) and while that isn't bad you also want to check traffic at the lower network layer. Warding things off lower in the network stack, before it reaches the application, requires less resources and is therefore safer and more efficient. Next to the iptables "recent" module shown in http://www.cert.org/blogs/certcc/200...webserver.html there's also the "connlimit" and "hashlimit" modules, each with their own pros and cons, that may address the explanations in that web log post and http://en.wikipedia.org/wiki/Slowlor...owloris_attack (limiting number of connections). Limiting the minimum transfer speed as suggested could be done with the "connrate" module (negate). Apart from that, excluding putting hardware in front of the web server, it's also suggested elsewhere to use Lighttpd or Nginx (in front of it as reverse proxy?), the reason being they use the more resilient asynchronous I/O model.
|