From owner-freebsd-security@FreeBSD.ORG Fri Oct 2 08:15:59 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C38D71065672 for ; Fri, 2 Oct 2009 08:15:59 +0000 (UTC) (envelope-from tevans.uk@googlemail.com) Received: from mail-ew0-f209.google.com (mail-ew0-f209.google.com [209.85.219.209]) by mx1.freebsd.org (Postfix) with ESMTP id 4FF0F8FC0C for ; Fri, 2 Oct 2009 08:15:58 +0000 (UTC) Received: by ewy5 with SMTP id 5so83653ewy.36 for ; Fri, 02 Oct 2009 01:15:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:received:received:subject:from:to:cc :in-reply-to:references:content-type:date:message-id:mime-version :x-mailer:content-transfer-encoding; bh=7jGFN9KOF+5pXA4823uFjZBTV/72BGK8b1uWOBwnGEY=; b=xfHLWCU53ZN/JxpWD0t6ngu1w1ip+3uz5IZ/fKFFq51S2YkMcRRv4W8e6yyaZTHNtF fTdj5mOGIlauMTd9UcW70berAXkjcX3EesSt3aRlDtY0Rd+8S8bgWbxnh4iF71jnsiS8 DpWYnh4gOAm1lP0J7ZL69Zf9l+0vlOxIhtvfs= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=subject:from:to:cc:in-reply-to:references:content-type:date :message-id:mime-version:x-mailer:content-transfer-encoding; b=UN2Tx6DtxkjbMSgqVVtHGBgCn48itBpAJ92GLhTSeztqCc6+1/q6QWnsjhzx8SgaKh PwrhBbuow+i7JYxc6Bu+anmqjCOMPFxm71WaXe389J4dJxM4lqXbtmFcXWhUy+aNjoE7 FpvfsQ+Ea0g1TtRQKdXF+A3aSUsPN9BTIC+3E= Received: by 10.211.155.16 with SMTP id h16mr2671083ebo.55.1254471357911; Fri, 02 Oct 2009 01:15:57 -0700 (PDT) Received: from ?127.0.0.1? (87-194-39-182.bethere.co.uk [87.194.39.182]) by mx.google.com with ESMTPS id 10sm100366eyz.18.2009.10.02.01.15.55 (version=SSLv3 cipher=RC4-MD5); Fri, 02 Oct 2009 01:15:56 -0700 (PDT) From: Tom Evans To: Eirik =?ISO-8859-1?Q?=D8verby?= In-Reply-To: <4E7E6B51-2B63-459C-A6FE-F327E899DCF6@anduin.net> References: <4AC37D6B.3060409@optiksecurite.com> <4AC3FA90.1000405@gibfest.dk> <1254387556.39148.10.camel@strangepork.london.mintel.ad> <4E7E6B51-2B63-459C-A6FE-F327E899DCF6@anduin.net> Content-Type: text/plain; charset="UTF-8" Date: Fri, 02 Oct 2009 09:15:54 +0100 Message-Id: <1254471354.54871.7.camel@strangepork.london.mintel.ad> Mime-Version: 1.0 X-Mailer: Evolution 2.26.3 FreeBSD GNOME Team Port Content-Transfer-Encoding: 8bit Cc: Thomas Rasmussen , freebsd-security@freebsd.org Subject: Re: Update on protection against slowloris X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Oct 2009 08:15:59 -0000 On Thu, 2009-10-01 at 19:48 +0200, Eirik Øverby wrote: > On 1. okt. 2009, at 10.59, Tom Evans wrote: > > > On Thu, 2009-10-01 at 02:40 +0200, Thomas Rasmussen wrote: > >> Martin Turgeon wrote: > >>> Hi list! > >>> > >>> We tested mod_antiloris 0.4 and found it quite efficient, but before > >>> putting it in production, we would like to hear some feedback from > >>> freebsd users. We are using Apache 2.2.x on Freebsd 6.2 and 7.2. Is > >>> anyone using it? Do you have any other way to patch against > >>> Slowloris > >>> other than putting a proxy in front or using the HTTP accept filter? > >>> > >>> Thanks for your feedback, > >>> > >>> Martin > >>> _______________________________________________ > >>> freebsd-security@freebsd.org mailing list > >>> http://lists.freebsd.org/mailman/listinfo/freebsd-security > >>> To unsubscribe, send any mail to > >>> "freebsd-security-unsubscribe@freebsd.org" > >> Hello, > >> > >> I am using it succesfully although not under any serious load, same > >> Apache and FreeBSD versions. I found it easy (compared to the > >> alternatives) and efficient, and no I don't know of any other ways of > >> blocking the attack, short of using Varnish or similar. However, > >> accf_http doesn't help at all, since HTTP POST requests bypass the > >> filter. HTTP POST can be enabled by passing the -httpready switch to > >> Slowloris. > >> > >> Please report back with your findings, I've been wondering how it > >> would perform under load. > >> > >> Best of luck with it, > >> > >> Thomas Rasmussen > > > > We use Apache 2.2 with the event MPM. This configuration is immune to > > slowloris, as it was designed (several years before 'slowloris' came > > along) to solve that exact problem. > > Without SSL, I presume? > > /Eirik > Yes, we run a prefork MPM apache as a reverse proxy in front of that, serving just SSL and proxying to the other. We're eagerly awaiting the release of httpd 2.4, which promotes event MPM to non experimental (as they've solved the problem with SSL). Cheers Tom