From owner-freebsd-security@FreeBSD.ORG Thu Oct 1 09:29:28 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7E68B1065696 for ; Thu, 1 Oct 2009 09:29:28 +0000 (UTC) (envelope-from tevans.uk@googlemail.com) Received: from mail-fx0-f222.google.com (mail-fx0-f222.google.com [209.85.220.222]) by mx1.freebsd.org (Postfix) with ESMTP id 0AF218FC08 for ; Thu, 1 Oct 2009 09:29:27 +0000 (UTC) Received: by fxm22 with SMTP id 22so2648290fxm.36 for ; Thu, 01 Oct 2009 02:29:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:received:received:subject:from:to:cc :in-reply-to:references:content-type:date:message-id:mime-version :x-mailer:content-transfer-encoding; bh=60ZfOFvw20vxAQd0NipZ6RqTKg1NaZqye6Nw+CKzQRA=; b=v2GDg0OotuNF/RB41EyTM0YwyLSh/dqhqtuFJLFvO4fNXvyRDxrO+e+Oh4EHTfXoru cNQhAmfqiohUsCWOfqIQQ6QRAU3dWg69sksLC0EVe20J0gcuqzC3ul6QiuT7zKwLGQ+4 Y3o/zgWLeev0gvF1kopVXXthLqTUPZY7QONvA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=subject:from:to:cc:in-reply-to:references:content-type:date :message-id:mime-version:x-mailer:content-transfer-encoding; b=kLI6mJaXySeRUeZPKl+7wax/EWAZe2jG2Re379CSEbViS/p9FNZW821e0s4B9fHKwG oMUZOuuBREGOUqrEJupV/ha3HvKm53j7vEQrfn+G9dullXyG8/9wfXDQIVD8K9y86AT6 rpXT2fV3/7+VP9aqg3xEFKcdW2UR5mOgJXVBQ= Received: by 10.86.220.9 with SMTP id s9mr926721fgg.40.1254387558840; Thu, 01 Oct 2009 01:59:18 -0700 (PDT) Received: from ?127.0.0.1? (87-194-39-182.bethere.co.uk [87.194.39.182]) by mx.google.com with ESMTPS id d4sm66797fga.17.2009.10.01.01.59.16 (version=SSLv3 cipher=RC4-MD5); Thu, 01 Oct 2009 01:59:17 -0700 (PDT) From: Tom Evans To: Thomas Rasmussen In-Reply-To: <4AC3FA90.1000405@gibfest.dk> References: <4AC37D6B.3060409@optiksecurite.com> <4AC3FA90.1000405@gibfest.dk> Content-Type: text/plain Date: Thu, 01 Oct 2009 09:59:16 +0100 Message-Id: <1254387556.39148.10.camel@strangepork.london.mintel.ad> Mime-Version: 1.0 X-Mailer: Evolution 2.26.3 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: Update on protection against slowloris X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Oct 2009 09:29:28 -0000 On Thu, 2009-10-01 at 02:40 +0200, Thomas Rasmussen wrote: > Martin Turgeon wrote: > > Hi list! > > > > We tested mod_antiloris 0.4 and found it quite efficient, but before > > putting it in production, we would like to hear some feedback from > > freebsd users. We are using Apache 2.2.x on Freebsd 6.2 and 7.2. Is > > anyone using it? Do you have any other way to patch against Slowloris > > other than putting a proxy in front or using the HTTP accept filter? > > > > Thanks for your feedback, > > > > Martin > > _______________________________________________ > > freebsd-security@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-security > > To unsubscribe, send any mail to > > "freebsd-security-unsubscribe@freebsd.org" > Hello, > > I am using it succesfully although not under any serious load, same > Apache and FreeBSD versions. I found it easy (compared to the > alternatives) and efficient, and no I don't know of any other ways of > blocking the attack, short of using Varnish or similar. However, > accf_http doesn't help at all, since HTTP POST requests bypass the > filter. HTTP POST can be enabled by passing the -httpready switch to > Slowloris. > > Please report back with your findings, I've been wondering how it > would perform under load. > > Best of luck with it, > > Thomas Rasmussen We use Apache 2.2 with the event MPM. This configuration is immune to slowloris, as it was designed (several years before 'slowloris' came along) to solve that exact problem. Cheers Tom