I recently came across a very nasty DoS attack that any script kiddy can execute – called slowloris. It involves sending partial HTTP packets while Apache2 patiently waits for an unreasonable amount of time for the remaining data while consuming a thread, doing so continuously will prevent Apache2 from opening more threads and serving potential web viewers.
One old remedy for this was supposedly mod_evasive, but it doesn’t really work against that specific type of attack as it acts too late to understand it’s an attack.
Very recently, an Apache mod fixing this vulnerability had been released – mod_antiloris, but it’s made with a RedHat based server in mind. Here are the steps to get it working on a Debian or any other Debian compatible server (such as Ubuntu).
First install the prerequisites. I assume you are using the threaded version of Apache, else you are not vulnerable to this type of attack.
sudo apt-get install gcc apache2-threaded-dev
Next, get the module source, extract it and compile:
wget "ftp://ftp.monshouwer.eu/pub/linux/mod_antiloris/mod_antiloris-0.3.tar.bz2" tar xvf mod_antiloris-0.3.tar.bz2 cd mod_antiloris-0.3/
The following command will end up in error – this is perfectly normal! Since apxs2 (Apache extension service) for Debian isn’t modified to handle Debian-style modules, do not run it as root as it will mess up with your system, thinking it’s RedHat compatible.
apxs2 -a -i -c mod_antiloris.c
Because apxs2 didn’t have permission to copy the module, we’ll do it ourselves:
sudo cp .libs/mod_antiloris.so /usr/lib/apache2/modules/mod_antiloris.so
Now we’ll add Debian-style .load file to auto load the module:
sudo su -c "echo 'LoadModule antiloris_module /usr/lib/apache2/modules/mod_antiloris.so' > /etc/apache2/mods-available/antiloris.load"
Then we’ll enable the module, Debian style:
sudo a2enmod antiloris
And reload Apache’s configurations and modules:
sudo /etc/init.d/apache2 reload
This module solves the slowloris DoS attack – so I urge you to install it as soon as possible if you are using Apache as your HTTP server.
I would like to make sure credit is where it is due – I did not develop this module – I just wrote instructions on how to make it Debian compatible, since it seems to be RedHat centric. The module was written and hosted by Kees Monshouwer, which I cannot seem to find any official website associated with.
I hope this will help people as much as it helped me.