Blocking a Slowloris attack by blocking the IP Chances are, that’s the one performing the Slowloris attack. I had 105 connections from 92.243.xx.xx, which isn’t normal for a webserver. Every request to Apache is still a connection to the server. Slowloris may try to hide from the Apache service, but it can’t hide from the network. You can use netstat to list the most active IPs on your server. You can detect the attack if you see such logs, but you don’t know who started the attack: the source IP isn’t logged until the HTTP requests are finished. If you have a webshop, you’ll miss sales. The site won’t load and your visitors will never get to see the content.
What it looks like for a visitor of your siteĪnyone trying to connect to your site, will have a “connecting” icon that keeps waiting forever. It’s how Slowloris prevents new connections from coming through. The symptoms are always the same: MaxClients will be reached. server reached MaxClients setting, consider raising the MaxClients setting AH00161: server reached MaxRequestWorkers setting, consider raising the MaxRequestWorkers settingįor Apache 2.2, it looks like this. Slowloris works by making more and more requests, until it reaches your Apache’s MaxClients limit. The symptoms are: very low CPU usage, a lot of Apache processes, very few new requests/s. RRRRRRRRRRRRRRRRRRRRRRRRRRWRRRRRRRKRRRRRRRRRRRRRRRRRRRRRRRRRRRRR RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR 817 requests/sec - 11.1 kB/second - 13.5 kB/requestġ31 requests currently being processed, 2 idle workers $ apachectl statusĬPU Usage: u2.18 s.2 cu0 cs0. If your apachectl status still works (it probably won’t, because all your httpd processes will be busy), it will look like this. To be on the receiving end of a Slowloris attack, you’ll see the following. The above will connect to on port 80 and attempt to make 750 connections to Apache and keep them open. Slowloris is a perl script, you can grab it from my mirrored github repo. You won’t detect slowloris in your logs, you have to use other tools to detect such an attack. This is particularly nasty, because it won’t show up in your webserver logs until a request has finished, and it’s the design of Slowloris to never finish requests and just keep them open. It’s a SYN-flood attack, but aimed directly at Apache. It continues to send subsequent headers at regular intervals to keep the sockets from closing. Slowloris holds connections open by sending partial HTTP requests. To this day, it’s still a very effective attack on Apache servers. I first mentioned Slowloris on this blog in 2009, more than 6 years ago.