How to prevent Slow HTTP DoS attacks in apache server

Using mod_reqtimeout

Since Apache HTTP Server 2.2.15, mod_reqtimeout is included by default. mod_reqtimeout can be used to set timeouts for receiving the HTTP request headers and the HTTP request body from a client. As a result, if a client fails to send header or body data within the configured time, a 408 REQUEST TIME OUT error is sent by the server.

The following is an example of a configuration that can be used with mod_reqtimeout.

<IfModule mod_reqtimeout.c>
RequestReadTimeout header=20-40,MinRate=500 body=20,MinRate=500

The above configuration allows up to 20 seconds for header data to be sent by a client. Provided that a client sends header data at a rate of 500 bytes per second, the server will allow a maximum 40 seconds for the headers to complete.

Additionally, the configuration will allow for up to 20 seconds for body data to be sent by the client. As long as the client sends header data at a rate of 500 bytes per second, the server will wait for up to 40 seconds for the body of the request to complete.

Using mod_qos

mod_qos is a quality of service module for the Apache HTTP Server which allows the implementation of control mechanisms that can provide different levels of priority to different HTTP requests.

The following is an example of how to configure mod_qos to mitigate slow HTTP DoS attacks.

<IfModule mod_qos.c>
# handle connections from up to 100000 different IPs
QS_ClientEntries 100000
# allow only 50 connections per IP
QS_SrvMaxConnPerIP 50
# limit maximum number of active TCP connections limited to 256
MaxClients 256
# disables keep-alive when 180 (70%) TCP connections are occupied
QS_SrvMaxConnClose 180
# minimum request/response speed (deny slow clients blocking the server, keeping connections open without requesting anything
QS_SrvMinDataRate 150 1200

The above configuration tracks up to 100,000 connections and limits the server to a maximum of 256 connections. In addition, the configuration limits each IP address to a maximum of 50 connections and disables HTTP KeepAlive when 180 connections are used (70% of the connections in this case). Finally, the configuration requires a minimum of 150 bytes per second per connection, and limits the connection to 1200 bytes per second when MaxClients is reached.

Using mod_security

mod_security is an open source web application firewall (WAF) that may be used with Apache HTTP server. mod_security makes use of rules that can be applied to carry out specific functions.

The following rules may be used to mitigate a slow HTTP DoS attack.

SecRule RESPONSE_STATUS "@streq 408" "phase:5,t:none,nolog,pass,setvar:ip.slow_dos_counter=+1, expirevar:ip.slow_dos_counter=60, id:'1234123456'"
SecRule IP:SLOW_DOS_COUNTER "@gt 5" "phase:1,t:none,log,drop,msg:'Client Connection Dropped due to high number of slow DoS alerts', id:'1234123457'"

The above rules identifies when Apache HTTP server triggers a 408 status code and tracks how many times this happened while keeping the data in IP-based persistent storage so it can correlate across requests. If this event has happened more than 5 times in 60 seconds, subsequent requests for that IP address will be dropped by mod_security for a period of 5 minutes.

Leave a Reply