Dear Wiki user, You have subscribed to a wiki page or wiki category on "Httpd Wiki" for change notification.
The following page has been changed by niq: http://wiki.apache.org/httpd/DoS ------------------------------------------------------------------------------ The slowloris script: threat and limitations - MaxClients, Memory usage, Threaded vs Unthreaded MPM, Event MPM not a solution! + The original slowloris is a perl script, though there are apparently other equivalent scripts floating around. My own testing involved the perl script, on OpenSolaris and Linux platforms. It works by opening huge numbers of concurrent connections to the target server, and holding them open so they are unavailable for normal traffic. + + The slowloris author notes that the script was ineffective running on Windows, because it only made about 130 concurrent outgoing connections. I observed similar limitations on *X platforms: on OpenSolaris it was 252, and on Linux it was 1020. I suspect those could be varied by tuning the host's kernel parameters and/or the Perl build, but I haven't investigated that. + + MaxClients + + Based in this observation, a sufficient (albeit clumsy) defence against a single attacker is to raise maxclients. + This is probably a good idea in any case: the defaults shipped by apache and at least some packagers go back to a time when an average server might have 32Mb RAM! However, it may create a conflict with applications running on the webserver that cannot reasonably support large numbers of concurrent clients. + + Raising MaxClients + + The main concern when raising MaxClients is memory usage. With the single-threaded Prefork MPM, this is a serios issue, as each client requires its own process, at a marginal cost likely to be significantly in excess of 1Mb RAM, so 1000 slowloris connections will consume gigabytes of RAM. With a threaded MPM such as Worker or Event, each 1Mb memory gives capacity to handle about 10-20 slowloris connections, so a modern server can comfortably accommodate many thousands of clients (though applications may not). Non-Unix MPMs are also threaded, so I would expect them also to work well with high MaxClients settings, but I have no data. + + Note that the memory usage reported by tools like ps(1) and top(1) include shared memory, so they report apparent figures that are far higher than apache's actual per-process usage. + + Event MPM + + The Event MPM is a partially-asynchronous processing model. However, my tests indicate that it is limited by MaxClients in the same way as other MPMs, and doesn't appear to offer any advantage over Worker in mitigating the effect of SlowLoris attacks. Timeout