From owner-freebsd-security@FreeBSD.ORG Tue Oct 6 16:42:56 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EB635106566B for ; Tue, 6 Oct 2009 16:42:56 +0000 (UTC) (envelope-from freebsd@optiksecurite.com) Received: from relais.videotron.ca (relais.videotron.ca [24.201.245.36]) by mx1.freebsd.org (Postfix) with ESMTP id C3E4C8FC17 for ; Tue, 6 Oct 2009 16:42:56 +0000 (UTC) MIME-version: 1.0 Content-transfer-encoding: 8BIT Content-type: text/plain; charset=ISO-8859-1; format=flowed Received: from [69.69.69.193] ([24.201.201.211]) by VL-MO-MR001.ip.videotron.ca (Sun Java(tm) System Messaging Server 6.3-4.01 (built Aug 3 2007; 32bit)) with ESMTP id <0KR3006XUQFJPZF0@VL-MO-MR001.ip.videotron.ca> for freebsd-security@freebsd.org; Tue, 06 Oct 2009 12:42:55 -0400 (EDT) Message-id: <4ACB7391.5040204@optiksecurite.com> Date: Tue, 06 Oct 2009 12:42:57 -0400 From: Martin Turgeon User-Agent: Thunderbird 2.0.0.23 (Windows/20090812) To: Thomas Rasmussen References: <4AC37D6B.3060409@optiksecurite.com> <4AC3FA90.1000405@gibfest.dk> In-reply-to: <4AC3FA90.1000405@gibfest.dk> Cc: freebsd-security@freebsd.org Subject: Re: Update on protection against slowloris X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Oct 2009 16:42:57 -0000 Thomas Rasmussen a écrit : > Martin Turgeon wrote: >> Hi list! >> >> We tested mod_antiloris 0.4 and found it quite efficient, but before >> putting it in production, we would like to hear some feedback from >> freebsd users. We are using Apache 2.2.x on Freebsd 6.2 and 7.2. Is >> anyone using it? Do you have any other way to patch against Slowloris >> other than putting a proxy in front or using the HTTP accept filter? >> >> Thanks for your feedback, >> >> Martin >> _______________________________________________ >> freebsd-security@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-security >> To unsubscribe, send any mail to >> "freebsd-security-unsubscribe@freebsd.org" > Hello, > > I am using it succesfully although not under any serious load, same > Apache and FreeBSD versions. I found it easy (compared to the > alternatives) and efficient, and no I don't know of any other ways of > blocking the attack, short of using Varnish or similar. However, > accf_http doesn't help at all, since HTTP POST requests bypass the > filter. HTTP POST can be enabled by passing the -httpready switch to > Slowloris. > > Please report back with your findings, I've been wondering how it > would perform under load. > > Best of luck with it, > > Thomas Rasmussen > Hi everyone, We haven't put mod_antiloris in production yet, but I wrote this little shell script to protect us against distributed attack. It's running every minutes in crontab. It checks for any IP with more than 100 connections in FIN_WAIT_2 state and block those IP in PF. #!/bin/sh /usr/bin/netstat -nfinet | grep FIN_WAIT_2 > netstat.out /usr/local/sbin/expiretable -t 300 slowloris for ip in `awk '{print $5}' netstat.out | awk -F. '{print $1"."$2"."$3"."$4}' | sort | uniq` ; do if [ `grep -c $ip netstat.out` -gt 100 ] ; then pfctl -t slowloris -Ta $ip 2> /dev/null fi done Did anyone have any comments on the script itself or the method used to detect the attackers? Thanks for your input, Martin