From owner-freebsd-security@FreeBSD.ORG Thu Oct 1 18:46:04 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AFB5F1065748 for ; Thu, 1 Oct 2009 18:46:04 +0000 (UTC) (envelope-from leccine@gmail.com) Received: from mail-bw0-f227.google.com (mail-bw0-f227.google.com [209.85.218.227]) by mx1.freebsd.org (Postfix) with ESMTP id 044AB8FC27 for ; Thu, 1 Oct 2009 18:46:03 +0000 (UTC) Received: by bwz27 with SMTP id 27so370131bwz.43 for ; Thu, 01 Oct 2009 11:46:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=M4y5Z2SeEhSVN0SK4eCwsXiUtgmYXOrrUnRksYpGw6A=; b=Z2LMUMPjv/dMb4/4wUZde4VVjg0U+1LGKOVgNB3Kh/X1TUT3fLlCERjy3nuPW/bOHj QGcVDJM3jNv1y7ti/JVGPwtoPJMv4vcUY/9PtDJfTdMu8ZFpw5xWPOq2t8V+8Y1xW5Iu BU/RQSy2VlydOm8lYA76uxAMGMo8+Sp89SLvI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=YKMlt0Yd1LkmfZjID6QUd/qnXl9L92XeewbAoj1qJ3b5yfFLVxPYFRvyB4oQAQPkR2 fF9Jl5UZUVX8RsyR6NXiuhKzyqms0Yy9XfLlgAEBfW763ajvjpV5wXQXN0eCStU006qE /MuXOpdp9MhFZiAGesM7P53CT8diC30loRvCg= MIME-Version: 1.0 Received: by 10.204.11.3 with SMTP id r3mr276944bkr.107.1254422762566; Thu, 01 Oct 2009 11:46:02 -0700 (PDT) In-Reply-To: <4E7E6B51-2B63-459C-A6FE-F327E899DCF6@anduin.net> References: <4AC37D6B.3060409@optiksecurite.com> <4AC3FA90.1000405@gibfest.dk> <1254387556.39148.10.camel@strangepork.london.mintel.ad> <4E7E6B51-2B63-459C-A6FE-F327E899DCF6@anduin.net> Date: Thu, 1 Oct 2009 19:46:02 +0100 Message-ID: From: =?ISO-8859-1?B?SXN0duFu?= To: =?ISO-8859-1?Q?Eirik_=D8verby?= Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Tom Evans , Thomas Rasmussen , freebsd-security@freebsd.org Subject: Re: Update on protection against slowloris X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Oct 2009 18:46:04 -0000 "The bad news is that it can indeed take a badly-configured apache server down, and the worse news is that that includes a low-traffic out-of-the box configuration. Even with the Event MPM, slowloris can tie up one worker thread per connection." for sure 2009/10/1 Eirik =D8verby > > On 1. okt. 2009, at 10.59, Tom Evans wrote: > > On Thu, 2009-10-01 at 02:40 +0200, Thomas Rasmussen wrote: >> >>> Martin Turgeon wrote: >>> >>>> Hi list! >>>> >>>> We tested mod_antiloris 0.4 and found it quite efficient, but before >>>> putting it in production, we would like to hear some feedback from >>>> freebsd users. We are using Apache 2.2.x on Freebsd 6.2 and 7.2. Is >>>> anyone using it? Do you have any other way to patch against Slowloris >>>> other than putting a proxy in front or using the HTTP accept filter? >>>> >>>> Thanks for your feedback, >>>> >>>> Martin >>>> _______________________________________________ >>>> freebsd-security@freebsd.org mailing list >>>> http://lists.freebsd.org/mailman/listinfo/freebsd-security >>>> To unsubscribe, send any mail to >>>> "freebsd-security-unsubscribe@freebsd.org" >>>> >>> Hello, >>> >>> I am using it succesfully although not under any serious load, same >>> Apache and FreeBSD versions. I found it easy (compared to the >>> alternatives) and efficient, and no I don't know of any other ways of >>> blocking the attack, short of using Varnish or similar. However, >>> accf_http doesn't help at all, since HTTP POST requests bypass the >>> filter. HTTP POST can be enabled by passing the -httpready switch to >>> Slowloris. >>> >>> Please report back with your findings, I've been wondering how it >>> would perform under load. >>> >>> Best of luck with it, >>> >>> Thomas Rasmussen >>> >> >> We use Apache 2.2 with the event MPM. This configuration is immune to >> slowloris, as it was designed (several years before 'slowloris' came >> along) to solve that exact problem. >> > > Without SSL, I presume? > > /Eirik > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.or= g > " > --=20 the sun shines for all