Re: Apache directives to avoid DDOS

[Stefan Sperling <st...@elego.de>]

On Mon, Jan 30, 2012 at 03:56:52PM +0100, Nouha Terzi wrote:
> Hi,
> 
> As suggested here:
> https://community.qualys.com/blogs/securitylabs/2011/11/02/how-to-protect-against-slow-http-attacks
> Modifying those directives can protect against slow HTTP attacks and make
> the attacks more difficult to execute:
> 
> - LimitRequestFields
> - LimitRequestFieldSize
> - LimitRequestBody
> - LimitRequestLine
> - LimitXMLRequestBody
> - TimeOut
> - KeepAliveTimeOut
> - ListenBackLog’s
> - MaxRequestWorkers
> - AcceptFilter
> 
> Does someone already configured a svn apache server to handle slow http
> attacks?
> Is there any known impact of theses apache directives?
> 
> Thank you in advance.

I wouldn't recommend changing any of these from the defaults,
unless you are 100% sure that there is a real threat to your server
because of the default value of one or more of these options.

Have you actually had the problem described in the blog post?
Keep in mind that this is a blog. Have you already checked the
official Apache HTTPD documentation? Maybe it discusses the
implications of changing the default values.

>From the options in this list, KeepAliveTimeOut is probably most
relevant to Subversion. If you set this too low Subversion clients
will have problems with dropped connections during checkout and update
operations. Subversion clients sometimes need to do some amount of
local processing (such as copying a temporary file) before they will
send another request. If the server has dropped the connection before
the local operation has finished the client will error out.

I have no idea how you could distinguish between a Subversion client
doing some local processing and a malicious client that sends some
requests and then waits in order try a "slow HTTP attack" as described
in the blog post.

I would say don't worry about this unless you can prove that somebody
is using this strategy to deny access to your server.