[users@httpd] slowloris mitigation

[Nick Kew <ni...@webthing.com>]

When slowloris first hit the headlines, it generated bad press
for us: we offered no defence beyond raising your resource limits.
I hacked up mod_noloris as a stopgap solution, but it's
not really recommended for anything beyond ticking a box
labelled "defence against slowloris-type attacks".

Since then Stefan has given us mod_reqtimeout, which offers
an alternative defence, and a more satisfactory approach.
That means mod_noloris could be redundant before ever becoming
part of a release.

So what should we do with mod_noloris?
(a) Keep it and maintain it for users who want it
(b) Keep it in trunk for the interested but keep it
    out of released versions.
(c) Delete it altogether from svn?  If so, I'll keep
    it at webthing for anyone who really wants it.

Posted to users@ (as well as dev@) in case anyone wants to
report experiences - good or bad - on using it.

-- 
Nick Kew

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] slowloris mitigation

[Nerius Landys <nl...@gmail.com>]

> Posted to users@ (as well as dev@) in case anyone wants to
> report experiences - good or bad - on using it.

I have tried using various Apache modules to address possibilities of
Slowloris attacks.  Finally, after not being satisfied with what
existing modules had to offer, I ended up using operating system
firewall rules to limit the number of concurrent TCP connections from
any given IP address.  The firewall solution (using OpenBSD Packet
Filter) was not perfect either, because connections in a FIN_WAIT_2
state are counted towards the "open connection number", and they
linger for about a minute.  What I really wanted was a limit on the
number of established TCP connections from any single IP address.

The problem I had with existing Apache modules (I forget which ones
exactly I tried) is that they forked a child process for incoming
connections, and then only after forking did they close the connection
under certain conditions.  What I really wanted was the ability to
_not_ fork a child process for an incoming TCP connection from an IP
address if there already exist N number of established TCP connections
from that IP address.  Perhaps due to the limitations of Apache's
architecture (??) it's not possible to control whether a TCP
connection causes a fork (??) via custom module.  Since Apache forks
always, regardless of what the anti-loris modules did afterwards, the
max children in Apache can be reached quickly and that would cause a
denial of service until the children would be freed up.  Is it
possible to write a module that prevents a fork altogether as
described?

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: [users@httpd] Domain cant find server

[Renato Oliveira <re...@grant.co.uk>]

Have you checked if you can ping the DNS name from other machines?
Have you checked if you can get access to the DNS name from outside or from somewhere other than the location you are in?
Have you checked the nameservers you are using?
Do an nslookup on Windows or host -t A <DNSNAME> on linux and see what is the result.

Check which nameservers the server is using? Can you resolve the DNS name from the server in question?

Make sure the DNS name matches the server name and the IP address.

You need to identify if the problem is with your premises or an external problem.
Try to break it down to narrow the problem.
It maybe there is a technical problem with godaddy.

R



Renato Oliveira
Systems Administrator
e-mail: renato.oliveira@grant.co.uk

Tel: +44 (0)1763 260811
Fax: +44 (0)1763 262410
http://www.grant.co.uk/

Grant Instruments (Cambridge) Ltd

Company registered in England, registration number 658133

Registered office address:
29 Station Road,
Shepreth,
CAMBS SG8 6GB
UK

-----Original Message-----


From: Frank Gingras [mailto:francois.gingras@gmail.com]
Sent: 14 April 2010 22:59
To: users@httpd.apache.org
Subject: Re: [users@httpd] Domain cant find server

Alexander,

You are facing a domain name resolution issue. Please look on wikipedia
and the likes for more details, as apache httpd does not interact with DNS.

Frank.

On 14/04/2010 4:52 PM, Alexander Welz wrote:
> I have apache 2.2 installed on a computer.
>
> If I type the IP address for the server in the browser window, the website
> displays
> I am using a domain from GoDaddy. I set up the Name server in Go daddy for
> the domain of the same name.
> I can ping the nameserver and the IP for the webserver displays.
> If I ping for the domain name it can not find the server.
>
> The DNS and Nameserver are set up correctly with godaddy, but it is getting
> lost when the domain tries to find my server.
>
> Any ideas on what is causing the problem?
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See<URL:http://httpd.apache.org/userslist.html>  for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>     "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org




-----Original Message-----


P Please consider the environment before printing this email
CONFIDENTIALITY: The information in this e-mail and any attachments is confidential. It is intended only for the named recipients(s). If you are not the named recipient please notify the sender immediately and do not disclose the contents to another person or take copies.

VIRUSES: The contents of this e-mail or attachment(s) may contain viruses which could damage your own computer system. Whilst Grant Instruments (Cambridge) Ltd has taken every reasonable precaution to minimise this risk, we cannot accept liability for any damage which you sustain as a result of software viruses. You should therefore carry out your own virus checks before opening the attachment(s).

OpenXML: For information about the OpenXML file format in use within Grant Instruments please visit our http://www.grant.co.uk/Support/openxml.html


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Domain cant find server

[Frank Gingras <fr...@gmail.com>]

Alexander,

You are facing a domain name resolution issue. Please look on wikipedia 
and the likes for more details, as apache httpd does not interact with DNS.

Frank.

On 14/04/2010 4:52 PM, Alexander Welz wrote:
> I have apache 2.2 installed on a computer.
>
> If I type the IP address for the server in the browser window, the website
> displays
> I am using a domain from GoDaddy. I set up the Name server in Go daddy for
> the domain of the same name.
> I can ping the nameserver and the IP for the webserver displays.
> If I ping for the domain name it can not find the server.
>
> The DNS and Nameserver are set up correctly with godaddy, but it is getting
> lost when the domain tries to find my server.
>
> Any ideas on what is causing the problem?
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See<URL:http://httpd.apache.org/userslist.html>  for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>     "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>    


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

[users@httpd] Domain cant find server

[Alexander Welz <aw...@att.net>]

I have apache 2.2 installed on a computer.

If I type the IP address for the server in the browser window, the website
displays
I am using a domain from GoDaddy. I set up the Name server in Go daddy for
the domain of the same name.
I can ping the nameserver and the IP for the webserver displays.
If I ping for the domain name it can not find the server.

The DNS and Nameserver are set up correctly with godaddy, but it is getting
lost when the domain tries to find my server.

Any ideas on what is causing the problem?


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: slowloris mitigation

[Dirk-Willem van Gulik <di...@webweaving.org>]

On 14 Apr 2010, at 22:46, Nick Kew wrote:
> 
> Since then Stefan has given us mod_reqtimeout, which offers
> an alternative defence, and a more satisfactory approach.
> ..
> So what should we do with mod_noloris?
> (b) Keep it in trunk for the interested but keep it
>    out of released versions.

I would not mind to keep it in /trunk/ for a while longer - until this while class is more or less put to rest. Found it a useful starting point to deal with adhoc/special issues.

Dw.

Re: slowloris mitigation

[HyperHacker <hy...@gmail.com>]

I haven't used it, but if mod_reqtimeout makes it entirely redundant,
my vote would be to keep it in trunk only. People interested in how
the attack/defence work can look at it, and there might be those who
for some reason don't want mod_reqtimeout.

-- 
Sent from my toaster.

[users@httpd] Re: slowloris mitigation

[Dirk-Willem van Gulik <di...@webweaving.org>]

On 14 Apr 2010, at 22:46, Nick Kew wrote:
> 
> Since then Stefan has given us mod_reqtimeout, which offers
> an alternative defence, and a more satisfactory approach.
> ..
> So what should we do with mod_noloris?
> (b) Keep it in trunk for the interested but keep it
>    out of released versions.

I would not mind to keep it in /trunk/ for a while longer - until this while class is more or less put to rest. Found it a useful starting point to deal with adhoc/special issues.

Dw.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org