From owner-freebsd-security@FreeBSD.ORG Thu Oct 1 18:20:11 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2E45C1065670 for ; Thu, 1 Oct 2009 18:20:11 +0000 (UTC) (envelope-from ltning@anduin.net) Received: from mail.anduin.net (mail.anduin.net [213.225.74.249]) by mx1.freebsd.org (Postfix) with ESMTP id E074B8FC15 for ; Thu, 1 Oct 2009 18:20:10 +0000 (UTC) Received: from [212.62.248.148] (helo=[192.168.2.172]) by mail.anduin.net with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1MtPlw-000Cah-IW; Thu, 01 Oct 2009 19:48:56 +0200 Mime-Version: 1.0 (Apple Message framework v1076) Content-Type: text/plain; charset=us-ascii; format=flowed; delsp=yes From: =?iso-8859-1?Q?Eirik_=D8verby?= In-Reply-To: <1254387556.39148.10.camel@strangepork.london.mintel.ad> Date: Thu, 1 Oct 2009 19:48:56 +0200 Content-Transfer-Encoding: 7bit Message-Id: <4E7E6B51-2B63-459C-A6FE-F327E899DCF6@anduin.net> References: <4AC37D6B.3060409@optiksecurite.com> <4AC3FA90.1000405@gibfest.dk> <1254387556.39148.10.camel@strangepork.london.mintel.ad> To: Tom Evans X-Mailer: Apple Mail (2.1076) Cc: Thomas Rasmussen , freebsd-security@freebsd.org Subject: Re: Update on protection against slowloris X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Oct 2009 18:20:11 -0000 On 1. okt. 2009, at 10.59, Tom Evans wrote: > On Thu, 2009-10-01 at 02:40 +0200, Thomas Rasmussen wrote: >> Martin Turgeon wrote: >>> Hi list! >>> >>> We tested mod_antiloris 0.4 and found it quite efficient, but before >>> putting it in production, we would like to hear some feedback from >>> freebsd users. We are using Apache 2.2.x on Freebsd 6.2 and 7.2. Is >>> anyone using it? Do you have any other way to patch against >>> Slowloris >>> other than putting a proxy in front or using the HTTP accept filter? >>> >>> Thanks for your feedback, >>> >>> Martin >>> _______________________________________________ >>> freebsd-security@freebsd.org mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-security >>> To unsubscribe, send any mail to >>> "freebsd-security-unsubscribe@freebsd.org" >> Hello, >> >> I am using it succesfully although not under any serious load, same >> Apache and FreeBSD versions. I found it easy (compared to the >> alternatives) and efficient, and no I don't know of any other ways of >> blocking the attack, short of using Varnish or similar. However, >> accf_http doesn't help at all, since HTTP POST requests bypass the >> filter. HTTP POST can be enabled by passing the -httpready switch to >> Slowloris. >> >> Please report back with your findings, I've been wondering how it >> would perform under load. >> >> Best of luck with it, >> >> Thomas Rasmussen > > We use Apache 2.2 with the event MPM. This configuration is immune to > slowloris, as it was designed (several years before 'slowloris' came > along) to solve that exact problem. Without SSL, I presume? /Eirik