LiraNuna's Development Blog
Securing your Debian server against slowloris
Posted on Friday 26 June 2009

I recently came across a very nasty DoS attack that any script kiddy can execute – called slowloris. It involves sending partial HTTP packets while Apache2 patiently waits for an unreasonable amount of time for the remaining data while consuming a thread, doing so continuously will prevent Apache2 from opening more threads and serving potential web viewers.

One old remedy for this was supposedly mod_evasive, but it doesn’t really work against that specific type of attack as it acts too late to understand it’s an attack.

Very recently, an Apache mod fixing this vulnerability had been released – mod_antiloris, but it’s made with a RedHat based server in mind. Here are the steps to get it working on a Debian or any other Debian compatible server (such as Ubuntu).

First install the prerequisites. I assume you are using the threaded version of Apache, else you are not vulnerable to this type of attack.

sudo apt-get install gcc apache2-threaded-dev

Next, get the module source, extract it and compile:

wget "ftp://ftp.monshouwer.eu/pub/linux/mod_antiloris/mod_antiloris-0.3.tar.bz2"
tar xvf mod_antiloris-0.3.tar.bz2
cd mod_antiloris-0.3/

The following command will end up in error – this is perfectly normal! Since apxs2 (Apache extension service) for Debian isn’t modified to handle Debian-style modules, do not run it as root as it will mess up with your system, thinking it’s RedHat compatible.

apxs2 -a -i -c mod_antiloris.c

Because apxs2 didn’t have permission to copy the module, we’ll do it ourselves:

sudo cp .libs/mod_antiloris.so /usr/lib/apache2/modules/mod_antiloris.so

Now we’ll add Debian-style .load file to auto load the module:

sudo su -c "echo 'LoadModule antiloris_module /usr/lib/apache2/modules/mod_antiloris.so' > /etc/apache2/mods-available/antiloris.load"

Then we’ll enable the module, Debian style:

sudo a2enmod antiloris

And reload Apache’s configurations and modules:

sudo /etc/init.d/apache2 reload

This module solves the slowloris DoS attack – so I urge you to install it as soon as possible if you are using Apache as your HTTP server.

I would like to make sure credit is where it is due – I did not develop this module – I just wrote instructions on how to make it Debian compatible, since it seems to be RedHat centric. The module was written and hosted by Kees Monshouwer, which I cannot seem to find any official website associated with.
I hope this will help people as much as it helped me.


8 Comments for 'Securing your Debian server against slowloris'

  1.  
    vINAN
    July 17, 2009 | 2:27
     

    Thanks for your post,
    went true it smoothly

  2.  
    Flam
    August 8, 2009 | 15:59
     

    On this step:
    echo “LoadModule antiloris_module /usr/lib/apache2/modules/mod_antiloris.so” | sudo tee > /etc/apache2/mods-available/antiloris.load

    I’m getting the error:
    -bash: /etc/apache2/mods-available/antiloris.load: Permission denied

    I even tried with a sudo, even though you have ‘sudo tee’ in there.

  3.  
    August 8, 2009 | 22:45
     

    @Flam: I’m not sure why it happens, but I have updated the post to reflect a better method that doesn’t depends on tee.

  4.  
    Flam
    August 8, 2009 | 22:59
     

    Thanks for the edit, works with:
    echo "LoadModule antiloris_module /usr/lib/apache2/modules/mod_antiloris.so" | sudo tee /etc/apache2/mods-available/antiloris.load

    <3

  5.  
    November 13, 2009 | 9:34
     

    [...] Slow DoS attack with just 1 computer against a number of web servers, including Apache: slowloris. There is a solution for Apache, packaged for RedHat and also available for Debian. [...]

  6.  
    April 26, 2010 | 4:22
     

    [...] English version of this topic called “securing-your-debian-server-against-slowloris” click here! (Thanks to LiraNuna’s Development [...]

  7.  
    January 2, 2011 | 20:57
     

    10x a lot !! – this should solve the problem i got with wordpress Mu
    My host claims it makes hes server overloads and left me with a blocked website :(

    gona try it so thanks again..
    Sagive SEO

  8.  
    nkts
    September 7, 2011 | 6:53
     

    change “apxs2 -a -i -c” to “apxs2 -c” if you copy module and add load rule manualy.

Leave a comment

(required)

(required)


Information for comment users
Line and paragraph breaks are implemented automatically. Your e-mail address is never displayed. Please consider what you're posting.

Use the buttons below to customise your comment.


RSS feed for comments on this post | TrackBack URI