Andreas Krennmair wrote: > * Guenter Knauf <fua...@apache.org> [2009-06-22 04:30]: >> wouldnt limiting the number of simultanous connections from one IP >> already help? F.e. something like: >> http://gpl.net.ua/modipcount/downloads.html > > Not only would this be futile against the Slowloris attack (imagine n > connections from n hosts instead of n connections from 1 host), it would > also potentially lock out groups of people behind the same NAT gateway.
FWIW mod_remoteip can be used to partially mitigate the weakness of this class of solutions. However, it only works for known, trusted proxies, and can only be safely used for those with public IP's. Where the same 10.0.0.5 on your private NAT backed becomes the same 10.0.0.5 within the apache server's DMZ, the issues like Allow from 10.0.0.0/8 become painfully obvious. I haven't found a good solution, but mod_remoteip still needs one, eventually.
