Comments on How To Defend slowloris DDoS With mod_qos (Apache2 On Debian [Lenny])

Just a quick heads up: Linux has a limit on filehandles/sockets per process as well. 1024 by default I think. Programs like the Octopus attacker (incredibly fast, older, but less polished than SlowLoris - saw good use in the AnonNet attacks against MAQS and the IFPI) get around that by just spawning more processes.

What gets me is that this type of attack, using connections up rather than bandwidth, is about 30 years old, and people are only just thinking of doing anything about it.

Thanks for this article In last week my server is attacked with this method. My question is, Can not mod_security defend this attack ? thanks

well, as far as I know mod_security, it analyses the content stream of an http request and compares them to configured signatures. But that kind of (slowloris-)attack is based on the number of connections rather than contents (or requests), so I think mod_security won't help mutch

 "Just a quick heads up: Linux has a limit on filehandles/sockets per process as well. 1024 by default I think. Programs like the Octopus attacker (incredibly fast, older, but less polished than SlowLoris - saw good use in the AnonNet attacks against MAQS and the IFPI) get around that by just spawning more processes."

It is very easy to increase the maximum number of allowed socket on linux. Also, you can use some iptables rules together QoS Module. 

You can read more about increasing the amount of memory associated with input and output socket buffers, tcp tuning and ulimit. (kernel parameters.)

I've tested mod_qos-9.8 with Apache 2.2/FastCGI/PHP/event mpm with Linux box with approximately 30K hosts daily, undergoing DOS flooding attack & SYN/ACK attacks from botnet. ip_conntrack is disabled. 

Though mod_qos looked like a solution, after a while it showed some problems.

1. It counts IP connections wrong, I saw 160 connections from IP and rising while netstat -nt showed no connections from this IP at all. 

2. After it erroneously counts IP addresses there is no way to correct it but to restart apache

3. After about an hour of work it would crash apache threads with segmentations faults, including the apache servers, which is not surprising considering how it counts IP addresses. 

At least it my case mod_qos cannot be considered as a stable solution, though it is addressing the problem in the right way, the implementation suffers from the lack of testing. May be sometimes in the future it's going to be stable but so far alas.

there are some error infos when i install this mod is pcre is needed the following is my step and error infos steps 1.sudo wget http://mirror.bjtu.edu.cn/apache/httpd/httpd-2.2.21.tar.gz sudo tar zxvf httpd-2.2.21.tar.gz cd httpd-2.2.21 sudo ./configure --prefix=/usr/local/apache2 --with-mpm=prefork --enable-rewrite --enable-so --enable-headers --enable-proxy sudo make sudo make install sudo wget http://sourceforge.net/projects/mod-qos/files/mod_qos-9.72.tar.gz/download sudo tar zxvf mod_qos-9.72.tar.gz cd mod_qos-9.72/apache2 sudo /usr/local/apache2/bin/apxs -i -c mod_qos.c and the following is the error infos: /usr/lib64/apr-1/build/libtool --silent --mode=compile gcc -prefer-pic -DLINUX=2 -D_REENTRANT -D_GNU_SOURCE -pthread -I/usr/local/apache2/include -I/usr/include/apr-1 -I/usr/include/apr-1 -c -o mod_qos.lo mod_qos.c && touch mod_qos.slo mod_qos.c:72:18: error: pcre.h: No such file or directory mod_qos.c:330: error: expected specifier-qualifier-list before 'pcre' mod_qos.c:344: error: expected specifier-qualifier-list before 'pcre' mod_qos.c:681: error: expected specifier-qualifier-list before 'pcre' mod_qos.c: In function 'qos_load_headerfilter': mod_qos.c:831: error: 'qos_fhlt_r_t' has no member named 'pcre' mod_qos.c:831: error: 'PCRE_DOTALL' undeclared (first use in this function) mod_qos.c:831: error: (Each undeclared identifier is reported only once mod_qos.c:831: error: for each function it appears in.) mod_qos.c:832: error: 'qos_fhlt_r_t' has no member named 'action' mod_qos.c:833: error: 'qos_fhlt_r_t' has no member named 'size' mod_qos.c:834: error: 'qos_fhlt_r_t' has no member named 'pcre' mod_qos.c:841: error: 'qos_fhlt_r_t' has no member named 'pcre' mod_qos.c:841: error: 'pcre_free' undeclared (first use in this function) mod_qos.c: In function 'qos_per_dir_event_rules': mod_qos.c:2152: error: 'qos_rfilter_t' has no member named 'type' mod_qos.c:2154: error: 'qos_rfilter_t' has no member named 'text' mod_qos.c:2155: error: 'qos_rfilter_t' has no member named 'text' mod_qos.c:2159: error: 'qos_rfilter_t' has no member named 'text' mod_qos.c:2165: error: 'qos_rfilter_t' has no member named 'action' mod_qos.c:2169: error: 'qos_rfilter_t' has no member named 'type' mod_qos.c:2170: error: 'qos_rfilter_t' has no member named 'id' mod_qos.c:2171: error: 'qos_rfilter_t' has no member named 'text' mod_qos.c:2171: error: 'qos_rfilter_t' has no member named 'action' mod_qos.c:2174: error: 'qos_rfilter_t' has no member named 'action' mod_qos.c: In function 'qos_per_dir_rules': mod_qos.c:2611: error: 'qos_rfilter_t' has no member named 'type' mod_qos.c:2613: error: 'qos_rfilter_t' has no member named 'pr' mod_qos.c:2614: error: 'qos_rfilter_t' has no member named 'type' mod_qos.c:2616: error: 'qos_rfilter_t' has no member named 'pr' mod_qos.c:2617: error: 'qos_rfilter_t' has no member named 'type' mod_qos.c:2619: error: 'qos_rfilter_t' has no member named 'pr' mod_qos.c:2620: error: 'qos_rfilter_t' has no member named 'type' mod_qos.c:2624: error: 'qos_rfilter_t' has no member named 'pr' mod_qos.c:2625: error: 'qos_rfilter_t' has no member named 'action' mod_qos.c:2631: error: 'qos_rfilter_t' has no member named 'action' mod_qos.c:2635: error: 'qos_rfilter_t' has no member named 'type' mod_qos.c:2636: error: 'qos_rfilter_t' has no member named 'id' mod_qos.c:2637: error: 'qos_rfilter_t' has no member named 'text' mod_qos.c:2637: error: 'qos_rfilter_t' has no member named 'action' mod_qos.c:2640: error: 'qos_rfilter_t' has no member named 'action' mod_qos.c: In function 'qos_header_filter': mod_qos.c:2676: error: 'qos_fhlt_r_t' has no member named 'pcre' mod_qos.c:2680: error: 'qos_fhlt_r_t' has no member named 'size' mod_qos.c:2685: error: 'qos_fhlt_r_t' has no member named 'size' mod_qos.c:2686: error: 'qos_fhlt_r_t' has no member named 'action' mod_qos.c: In function 'qos_setenvresheader': mod_qos.c:2897: error: 'pcre' undeclared (first use in this function) mod_qos.c:2897: error: 'pr' undeclared (first use in this function) mod_qos.c:2897: error: expected expression before ')' token mod_qos.c: In function 'qos_parp_hp_body': mod_qos.c:3033: error: 'qos_setenvifparpbody_t' has no member named 'preg' mod_qos.c:3035: error: 'qos_setenvifparpbody_t' has no member named 'name' mod_qos.c:3036: error: 'qos_setenvifparpbody_t' has no member named 'value' mod_qos.c:3048: error: 'qos_setenvifparpbody_t' has no member named 'pregx' mod_qos.c: In function 'qos_post_config': mod_qos.c:6939: error: 'qos_fhlt_r_t' has no member named 'action' mod_qos.c:6940: error: 'qos_fhlt_r_t' has no member named 'size' mod_qos.c:6947: error: 'qos_fhlt_r_t' has no member named 'action' mod_qos.c:6948: error: 'qos_fhlt_r_t' has no member named 'size' mod_qos.c: In function 'qos_event_setenvresheadermatch_cmd': mod_qos.c:8216: error: 'pcre' undeclared (first use in this function) mod_qos.c:8216: error: 'pr' undeclared (first use in this function) mod_qos.c:8216: error: 'PCRE_DOTALL' undeclared (first use in this function) mod_qos.c:8216: error: 'PCRE_CASELESS' undeclared (first use in this function) mod_qos.c:8223: error: 'pcre_free' undeclared (first use in this function) mod_qos.c: In function 'qos_event_setenvifparpbody_cmd': mod_qos.c:8292: error: 'qos_setenvifparpbody_t' has no member named 'pregx' mod_qos.c:8296: error: 'qos_setenvifparpbody_t' has no member named 'preg' mod_qos.c:8296: error: 'PCRE_DOTALL' undeclared (first use in this function) mod_qos.c:8296: error: 'PCRE_CASELESS' undeclared (first use in this function) mod_qos.c:8297: error: 'qos_setenvifparpbody_t' has no member named 'preg' mod_qos.c:8303: error: 'qos_setenvifparpbody_t' has no member named 'preg' mod_qos.c:8303: error: 'pcre_free' undeclared (first use in this function) mod_qos.c:8304: error: 'qos_setenvifparpbody_t' has no member named 'pregx' mod_qos.c:8308: error: 'qos_setenvifparpbody_t' has no member named 'name' mod_qos.c:8309: error: 'qos_setenvifparpbody_t' has no member named 'name' mod_qos.c:8311: error: 'qos_setenvifparpbody_t' has no member named 'value' mod_qos.c:8315: error: 'qos_setenvifparpbody_t' has no member named 'value' mod_qos.c: In function 'qos_deny_cmd': mod_qos.c:8752: error: 'qos_rfilter_t' has no member named 'type' mod_qos.c:8757: error: 'qos_rfilter_t' has no member named 'id' mod_qos.c:8759: error: 'qos_rfilter_t' has no member named 'action' mod_qos.c:8761: error: 'qos_rfilter_t' has no member named 'action' mod_qos.c:8766: error: 'qos_rfilter_t' has no member named 'type' mod_qos.c:8767: error: 'qos_rfilter_t' has no member named 'pr' mod_qos.c:8767: error: 'PCRE_DOTALL' undeclared (first use in this function) mod_qos.c:8768: error: 'qos_rfilter_t' has no member named 'pr' mod_qos.c:8774: error: 'qos_rfilter_t' has no member named 'pr' mod_qos.c:8774: error: 'pcre_free' undeclared (first use in this function) mod_qos.c:8776: error: 'qos_rfilter_t' has no member named 'text' mod_qos.c: In function 'qos_deny_rql_cmd': mod_qos.c:8782: error: 'PCRE_CASELESS' undeclared (first use in this function) mod_qos.c: In function 'qos_deny_path_cmd': mod_qos.c:8786: error: 'PCRE_CASELESS' undeclared (first use in this function) mod_qos.c: In function 'qos_deny_query_cmd': mod_qos.c:8790: error: 'PCRE_CASELESS' undeclared (first use in this function) mod_qos.c: In function 'qos_headerfilter_rule_cmd': mod_qos.c:9008: error: 'qos_fhlt_r_t' has no member named 'size' mod_qos.c:9013: error: 'qos_fhlt_r_t' has no member named 'pcre' mod_qos.c:9013: error: 'PCRE_DOTALL' undeclared (first use in this function) mod_qos.c:9015: error: 'qos_fhlt_r_t' has no member named 'action' mod_qos.c:9017: error: 'qos_fhlt_r_t' has no member named 'action' mod_qos.c:9022: error: 'qos_fhlt_r_t' has no member named 'pcre' mod_qos.c:9029: error: 'qos_fhlt_r_t' has no member named 'size' mod_qos.c:9034: error: 'qos_fhlt_r_t' has no member named 'pcre' mod_qos.c:9034: error: 'pcre_free' undeclared (first use in this function) mod_qos.c: In function 'qos_resheaderfilter_rule_cmd': mod_qos.c:9051: error: 'qos_fhlt_r_t' has no member named 'size' mod_qos.c:9053: error: 'qos_fhlt_r_t' has no member named 'pcre' mod_qos.c:9053: error: 'PCRE_DOTALL' undeclared (first use in this function) mod_qos.c:9054: error: 'qos_fhlt_r_t' has no member named 'action' mod_qos.c:9055: error: 'qos_fhlt_r_t' has no member named 'pcre' mod_qos.c:9062: error: 'qos_fhlt_r_t' has no member named 'size' mod_qos.c:9067: error: 'qos_fhlt_r_t' has no member named 'pcre' mod_qos.c:9067: error: 'pcre_free' undeclared (first use in this function) apxs:Error: Command failed with rc=65536 hope your reply thanks