Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 06 Oct 2009 12:42:57 -0400
From:      Martin Turgeon <freebsd@optiksecurite.com>
To:        Thomas Rasmussen <thomas@gibfest.dk>
Cc:        freebsd-security@freebsd.org
Subject:   Re: Update on protection against slowloris
Message-ID:  <4ACB7391.5040204@optiksecurite.com>
In-Reply-To: <4AC3FA90.1000405@gibfest.dk>
References:  <4AC37D6B.3060409@optiksecurite.com> <4AC3FA90.1000405@gibfest.dk>
index | next in thread | previous in thread | raw e-mail 

Thomas Rasmussen a écrit :
> Martin Turgeon wrote:
>> Hi list!
>>
>> We tested mod_antiloris 0.4 and found it quite efficient, but before 
>> putting it in production, we would like to hear some feedback from 
>> freebsd users. We are using Apache 2.2.x on Freebsd 6.2 and 7.2. Is 
>> anyone using it? Do you have any other way to patch against Slowloris 
>> other than putting a proxy in front or using the HTTP accept filter?
>>
>> Thanks for your feedback,
>>
>> Martin
>> _______________________________________________
>> freebsd-security@freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-security
>> To unsubscribe, send any mail to 
>> "freebsd-security-unsubscribe@freebsd.org"
> Hello,
>
> I am using it succesfully although not under any serious load, same
> Apache and FreeBSD versions. I found it easy (compared to the
> alternatives) and efficient, and no I don't know of any other ways of
> blocking the attack, short of using Varnish or similar. However,
> accf_http doesn't help at all, since HTTP POST requests bypass the
> filter. HTTP POST can be enabled by passing the -httpready switch to
> Slowloris.
>
> Please report back with your findings, I've been wondering how it
> would perform under load.
>
> Best of luck with it,
>
> Thomas Rasmussen
>
Hi everyone,

We haven't put mod_antiloris in production yet, but I wrote this little 
shell script to protect us against distributed attack. It's running 
every minutes in crontab. It checks for any IP with more than 100 
connections in FIN_WAIT_2 state and block those IP in PF.

#!/bin/sh

/usr/bin/netstat -nfinet | grep FIN_WAIT_2 > netstat.out

/usr/local/sbin/expiretable -t 300 slowloris

for ip in `awk '{print $5}' netstat.out | awk -F. '{print 
$1"."$2"."$3"."$4}' | sort | uniq` ; do
        if [ `grep -c $ip netstat.out` -gt 100 ] ; then
                pfctl -t slowloris -Ta $ip 2> /dev/null
        fi
done

Did anyone have any comments on the script itself or the method used to 
detect the attackers?

Thanks for your input,

Martin
home | help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4ACB7391.5040204>