ModSecurity blocks SlowLoris attacks

In mid 2009 was released a tool able to perform a successful DoS attack to different webservers just from a single client. This tool is called SlowLoris and is available here. The attack consists in opening many connections with the target, blocking it with incomplete requests.
Soon different solutions and mitigations to this attack came out: apache dedicated modules (mod_antiloris and mod_qos), IDS/IPS signatures and other proprietary tools.
One of the best free and open source solution as a Web Application Firewall is ModSecurity, a module for the well known web server Apache.
Release 2.5.13 is not only a bugfix release (that updates the Core Rule Set to version 2.0.10) but it adds a new security directive: SecReadStateLimit. It is used to limit the number of concurrent threads in busy connections per IP address, so it will successfully block SlowLoris attacks without any other external help.
I’m testing it in these days but before doing the update to this version, pay attention to the new default blocking mode of the Core Rule Set: it will not block the attacks when reaching a preset anomaly score but it will use a “traditional” mode. More on this topic here.

This entry was posted on Saturday, December 18th, 2010 at 8:58 PM and is filed under security, software.

You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

Comments are closed.