The Slowloris attack operates by exploiting Apache's thread-based architecture. Unlike traditional DDoS attacks that flood servers with traffic, Slowloris maintains multiple partial HTTP connections, keeping them open as long as possible to exhaust server resources.
Apache creates a separate worker thread or process for each connection. The default configuration (typically 150-256 MaxClients) makes it vulnerable:
# Typical Apache MPM configuration
<IfModule mpm_prefork_module>
StartServers 5
MinSpareServers 5
MaxSpareServers 10
MaxClients 150
MaxRequestsPerChild 0
</IfModule>
1. Timeout Optimization:
Timeout 30 # Reduce from default 300 seconds
KeepAliveTimeout 5
MaxKeepAliveRequests 100
2. Connection Rate Limiting:
# Using mod_qos
<IfModule mod_qos.c>
QS_SrvMaxConnPerIP 50
QS_SrvMaxConnClose 180
QS_SrvMinDataRate 150 1200
</IfModule>
Implementation example:
<IfModule mod_evasive20.c>
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 300
DOSEmailNotify admin@example.com
</IfModule>
Nginx as front-end example:
http {
proxy_read_timeout 5s;
proxy_send_timeout 5s;
client_header_timeout 5s;
client_body_timeout 5s;
send_timeout 5s;
upstream apache_backend {
server 127.0.0.1:8080;
keepalive 16;
}
}
For AWS environments:
# CloudFront/Lambda@Edge example
exports.handler = async (event) => {
const request = event.Records[0].cf.request;
const headers = request.headers;
// Check for slow headers pattern
if (headers['x-slowloris'] ||
(headers['connection'] && headers['connection'][0].value === 'keep-alive')) {
return {
status: '403',
statusDescription: 'Forbidden'
};
}
return request;
};
Example Nagios check:
#!/bin/bash
WARNING=100
CRITICAL=150
APACHE_CONN=$(netstat -an | grep ':80 ' | grep -v ESTABLISHED | wc -l)
if [ $APACHE_CONN -ge $CRITICAL ]; then
echo "CRITICAL: $APACHE_CONN connections"
exit 2
elif [ $APACHE_CONN -ge $WARNING ]; then
echo "WARNING: $APACHE_CONN connections"
exit 1
else
echo "OK: $APACHE_CONN connections"
exit 0
fi
For high-traffic sites, consider migrating to event-based servers:
# LiteSpeed configuration for Slowloris protection
event {
maxConnections 1000
maxSSLConnections 300
connTimeout 30
keepAliveTimeout 5
}
- Implement connection timeouts under 30 seconds
- Enable rate limiting per IP
- Deploy reverse proxy with stricter timeouts
- Monitor connection states regularly
- Consider cloud-based DDoS protection services
The Slowloris attack exploits Apache's connection handling mechanism by maintaining multiple partial HTTP requests. Unlike traditional DDoS attacks that flood bandwidth, Slowloris exhausts server resources by keeping connections open indefinitely.
# In httpd.conf or apache2.conf
Timeout 30
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 5
MaxClients 256
MinSpareServers 32
MaxSpareServers 64
# mod_evasive configuration
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 60
DOSEmailNotify admin@example.com
Nginx configuration example as reverse proxy:
http {
proxy_read_timeout 5s;
proxy_send_timeout 5s;
proxy_connect_timeout 5s;
client_header_timeout 5s;
client_body_timeout 5s;
send_timeout 5s;
upstream apache_backend {
server 127.0.0.1:8080;
keepalive 16;
}
}
# Slowloris detection rules
SecRule REQUEST_HEADERS:User-Agent "@pm Slowloris" "id:'123456',phase:1,deny,status:403,msg:'Slowloris Attack Detected'"
SecRule &TX:SLOWLORIS_SCORE "@ge 5" "id:'123457',phase:5,t:none,deny,status:403,msg:'Potential Slowloris Attack'"
Linux kernel parameters adjustment:
# /etc/sysctl.conf
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_fin_timeout = 30
Consider using specialized DDoS protection services:
- Cloudflare's "I'm Under Attack" mode
- AWS Shield Advanced
- Akamai Kona Site Defender
# Sample bash script to monitor connections
#!/bin/bash
watch -n 5 "netstat -ant | awk '\$6 == \"ESTABLISHED\" {print \$5}' | cut -d: -f1 | sort | uniq -c | sort -nr"