cPanel & WHM no longer develops EasyApache 3 and only releases security updates for it. We will deprecate EasyApache 3 on December 31, 2018. After that date, we will no longer update EasyApache 3. In cPanel & WHM version 78, we will remove support for EasyApache 3. For more information, read our cPanel Long-Term Support documentation. If you do not upgrade to EasyApache 4, you cannot upgrade to cPanel & WHM version 78. We strongly recommend that you upgrade to EasyApache 4. For more information, read our EasyApache 4 documentation.
How To Mitigate Slowloris Attacks - EasyApache - cPanel Documentation
Page tree
Skip to end of metadata
Go to start of metadata

Overview

The Slowloris attack attempts to open a large number of connections with a web server and holds those connections open for as long as possible. A web server can only provide service to a finite number of clients. After the Slowloris attack consumes all of the available connections on a server, other clients cannot reach its sites.

To accomplish this, the Slowloris program opens a connection to the web server and sends a partial request. Then it sends additional HTTP headers to add to those requests, but not complete them. This process eventually fills the maximum number of concurrent connections, which will deny additional connections from other clients.

This document provides several methods to mitigate the impact of Slowloris attacks.

For more information about Slowloris attacks, read Slowloris at Wikipedia.

The mod_reqtimeout module (recommended)

Note:

  • The mod_reqtimeout module is available for Apache version 2.2.
  • On systems that run EasyApache 3, you can install the mod_reqtimeout module as an opt mod.

Place any configurations that you wish to use the mod_reqtimeout module in the /usr/local/apache/conf/includes/pre_main_global.conf file.

The following example configuration demonstrates how you can use the mod_reqtimeout module:

<IfModule mod_reqtimeout.c> RequestReadTimeout header=20-40,MinRate=500 body=20-40,MinRate=500
</IfModule>

This configuration will wait up to 20 seconds for header data. As long as the client sends header data at a rate of 500 bytes per second, the server will wait for up to 40 seconds for the headers to complete.

This configuration will also wait up to 20 seconds for body data. As long as the client sends header data at a rate of 500 bytes per second, the server will wait for up to 40 seconds for the body of the request to complete.

For more information, read Apache's ModReqtimeout Documentation.

The mod_qos.c module

Note:

  • The mod_qos.c module is only available for systems that run EasyApache 3.
  • The mod_qos.c module is available for Apache version 2.0 and later, but we recommend that you use Apache version 2.2 or later.

The following example demonstrates how to configure the mod_qos.c module to mitigate Slowloris attacks:

<IfModule mod_qos.c> # handles connections from up to 100000 different IPs QS_ClientEntries 100000 # will allow only 50 connections per IP QS_SrvMaxConnPerIP 50 # maximum number of active TCP connections is limited to 256 MaxClients 256 # disables keep-alive when 70% of the TCP connections are occupied: QS_SrvMaxConnClose 180 # minimum request/response speed (deny slow clients blocking the server, ie. slowloris keeping connections open without requesting anything): QS_SrvMinDataRate 150 1200 # and limit request header and body (careful, that limits uploads and post requests too): # LimitRequestFields 30 # QS_LimitRequestBody 102400
</IfModule>

This example configuration will enforce the following behavior:

  • MaxClients — This setting limits the maximum number of connections to 256.
  • QS_ClientEntries — This setting tracks up to 100,000 connections.
  • QS_SrvMaxConnPerIP — This setting limits each IP address to a maximum number of 50 connections.
  • QS_SrvMaxConnClose — This setting disables the KeepAlive function when at least 180 connections exist.
  • QS_SrvMinDataRate — This setting requires a minimum of 150 bytes per second per connection, and limits the connection to 1200 bytes per second when the server reaches the MaxClients limit.

Additional documentation