I recently came across a very nasty DoS attack that any script kiddy can execute – called slowloris. It involves sending partial HTTP packets while Apache2 patiently waits for an unreasonable amount of time for the remaining data while consuming a thread, doing so continuously will prevent Apache2 from opening more threads and serving potential web viewers.
One old remedy for this was supposedly mod_evasive, but it doesn’t really work against that specific type of attack as it acts too late to understand it’s an attack.
Very recently, an Apache mod fixing this vulnerability had been released – mod_antiloris, but it’s made with a RedHat based server in mind. Here are the steps to get it working on a Debian or any other Debian compatible server (such as Ubuntu).
First install the prerequisites. I assume you are using the threaded version of Apache, else you are not vulnerable to this type of attack.
sudo apt-get install gcc apache2-threaded-dev |
Next, get the module source, extract it and compile:
wget "ftp://ftp.monshouwer.eu/pub/linux/mod_antiloris/mod_antiloris-0.3.tar.bz2" tar xvf mod_antiloris-0.3.tar.bz2 cd mod_antiloris-0.3/ |
The following command will end up in error – this is perfectly normal! Since apxs2 (Apache extension service) for Debian isn’t modified to handle Debian-style modules, do not run it as root as it will mess up with your system, thinking it’s RedHat compatible.
apxs2 -a -i -c mod_antiloris.c |
Because apxs2 didn’t have permission to copy the module, we’ll do it ourselves:
sudo cp .libs/mod_antiloris.so /usr/lib/apache2/modules/mod_antiloris.so |
Now we’ll add Debian-style .load file to auto load the module:
sudo su -c "echo 'LoadModule antiloris_module /usr/lib/apache2/modules/mod_antiloris.so' > /etc/apache2/mods-available/antiloris.load" |
Then we’ll enable the module, Debian style:
sudo a2enmod antiloris |
And reload Apache’s configurations and modules:
sudo /etc/init.d/apache2 reload |
This module solves the slowloris DoS attack – so I urge you to install it as soon as possible if you are using Apache as your HTTP server.
I would like to make sure credit is where it is due – I did not develop this module – I just wrote instructions on how to make it Debian compatible, since it seems to be RedHat centric. The module was written and hosted by Kees Monshouwer, which I cannot seem to find any official website associated with.
I hope this will help people as much as it helped me.
Thanks for your post,
went true it smoothly
On this step:
echo “LoadModule antiloris_module /usr/lib/apache2/modules/mod_antiloris.so” | sudo tee > /etc/apache2/mods-available/antiloris.load
I’m getting the error:
-bash: /etc/apache2/mods-available/antiloris.load: Permission denied
I even tried with a sudo, even though you have ‘sudo tee’ in there.
@Flam: I’m not sure why it happens, but I have updated the post to reflect a better method that doesn’t depends on tee.
Thanks for the edit, works with:
echo "LoadModule antiloris_module /usr/lib/apache2/modules/mod_antiloris.so" | sudo tee /etc/apache2/mods-available/antiloris.load<3
[...] Slow DoS attack with just 1 computer against a number of web servers, including Apache: slowloris. There is a solution for Apache, packaged for RedHat and also available for Debian. [...]
[...] English version of this topic called “securing-your-debian-server-against-slowloris” click here! (Thanks to LiraNuna’s Development [...]
10x a lot !! – this should solve the problem i got with wordpress Mu
My host claims it makes hes server overloads and left me with a blocked website :(
gona try it so thanks again..
Sagive SEO
change “apxs2 -a -i -c” to “apxs2 -c” if you copy module and add load rule manualy.