From owner-freebsd-security@FreeBSD.ORG Thu Oct 1 00:59:50 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AC6231065676 for ; Thu, 1 Oct 2009 00:59:50 +0000 (UTC) (envelope-from thomas@gibfest.dk) Received: from mail.tyknet.dk (gw.tyknet.dk [93.167.110.194]) by mx1.freebsd.org (Postfix) with ESMTP id 5D7238FC14 for ; Thu, 1 Oct 2009 00:59:50 +0000 (UTC) Received: from mail.tyknet.dk (localhost [127.0.0.1]) by mail.tyknet.dk (Postfix) with ESMTP id 93BA0B886 for ; Thu, 1 Oct 2009 02:40:51 +0200 (CEST) Received: from mail.tyknet.dk (localhost [127.0.0.1]) by mail.tyknet.dk (Postfix) with ESMTP id 8CC20B86B for ; Thu, 1 Oct 2009 02:40:50 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on doobie.tyknet.cn.dom X-Spam-Level: X-Spam-Status: No, score=-4.1 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00 autolearn=ham version=3.2.5 Received: from [10.10.1.143] (tykpc.tyknet.cn.dom [10.10.1.143]) by mail.tyknet.dk (Postfix) with ESMTP id 2B55BB84E for ; Thu, 1 Oct 2009 02:40:49 +0200 (CEST) Message-ID: <4AC3FA90.1000405@gibfest.dk> Date: Thu, 01 Oct 2009 02:40:48 +0200 From: Thomas Rasmussen User-Agent: Thunderbird 2.0.0.22 (Windows/20090605) MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <4AC37D6B.3060409@optiksecurite.com> In-Reply-To: <4AC37D6B.3060409@optiksecurite.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV using ClamSMTP Subject: Re: Update on protection against slowloris X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Oct 2009 00:59:50 -0000 Martin Turgeon wrote: > Hi list! > > We tested mod_antiloris 0.4 and found it quite efficient, but before > putting it in production, we would like to hear some feedback from > freebsd users. We are using Apache 2.2.x on Freebsd 6.2 and 7.2. Is > anyone using it? Do you have any other way to patch against Slowloris > other than putting a proxy in front or using the HTTP accept filter? > > Thanks for your feedback, > > Martin > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" Hello, I am using it succesfully although not under any serious load, same Apache and FreeBSD versions. I found it easy (compared to the alternatives) and efficient, and no I don't know of any other ways of blocking the attack, short of using Varnish or similar. However, accf_http doesn't help at all, since HTTP POST requests bypass the filter. HTTP POST can be enabled by passing the -httpready switch to Slowloris. Please report back with your findings, I've been wondering how it would perform under load. Best of luck with it, Thomas Rasmussen