The sys admin's daily grind: Mod_qos vs. Slowloris

In the Grip

By Charly Kühnast

I always used to associate denial-of-service (DoS) attacks on web servers with brute force. Tens of thousands of simultaneous HTTP connections stress the victim to the extent at which it runs out of CPU cycles for its daily work.

Slowloris [1] just goes to prove that there is another tack to DoS. Instead of opening more connections than the server can handle, the tool wins out purely by being slow. Slowloris submits each HTTP request in homeopathic doses, with excruciatingly long breaks, but without ever finishing. The intervals between the header tidbits are just short enough to prevent the server from timing out the connection.

Once all the server's sockets have been blocked by Slowloris connections, the server is blocked for regular HTTP requests. Neither the attacker nor the victim needs to work hard; instead, both spend their time like the two tramps in Samuel Beckett's play anticipating the arrival of Godot - waiting. Another interesting facet is the name, Slowloris: Slow lorises are a kind of primate [2]. The tool gained some notoriety when opponents of the Iranian government closed down government servers during the presidential election of 2009.

An Apache server configured in the normal way is vulnerable to this kind of attack. To avoid handing over control to the monkeys without a fight, you can choose from several modules to protect your server. One of them is Mod_qos [3]. Its defense strategy: If the data throughput on a socket drops below a certain value (configured in QS_SrvMaxConnClose), it shuts down the connection and frees up the socket.

Monkey Business

After completing the download, I used Apxs2 to build the module:

tar xvzpf mod_qos-9.9.tar.gz
cd mod_qos-9.9/apache2
apxs2 -ci mod_qos.c

I then created /etc/apache/mods_available/qos.load with the following content:

LoadModule qos_module /usr/lib/apache2U /modules/mod_qos.so

I still need a basic configuration that has to be stored as qos.conf in the same directory. Figure 1 is the file for my test server. If you manage a heavily stressed host, you will need to increase this value. After completing the setup, issue

a2enmod qos /etc/init.d/apache2 restart

to raise your Apache server's protective shield. For more extravagant configurations, you might want to check out the docs directory in the tarball. After all, Mod_qos can do more than just chase monkeys back into the trees.

Figure 1: The qos.conf configuration file that I use to protect my web server against the Slowloris attack.