Slowloris AttackSlowloris is a piece of software written by Robert "RSnake" Hansen which allows a single machine to take down another machine's web server with minimal bandwidth and side effects on unrelated services and ports.
Slowloris tries to keep many connections to the target web server open and hold them open as long as possible. It accomplishes this by opening connections to the target web server and sending a partial request. Periodically, it will send subsequent HTTP headers, adding to—but never completing—the request. Affected servers will keep these connections open, filling their maximum concurrent connection pool, eventually denying additional connection attempts from clients.
Configure mod_qos to prevent Slowloris DDOS on Apache 2Download mod_qos
# cd ~root
# wget “http://downloads.sourceforge.net/project/mod-qos/mod_qos-9.71.tar.gz?r=http%3A%2F%2Fsourceforge.net%2Fprojects%2Fmod-qos%2Ffiles%2F&ts=1318107337&use_mirror=iweb”
# tar xvfz mod_qos-9.71.tar.gz
# cd mod_qos-9.71/apache2/
# apxs -i -c mod_qos.c
Put the following line inside httpd.conf and restart apache
LoadModule qos_module /usr/lib/httpd/modules/mod_qos.so
Load configuration:
# create the qos conf file qos.conf
Paste these:
## QoS Settings
<IfModule mod_qos.c>
# handles connections from up to 100000 different IPs
QS_ClientEntries 100000
# will allow only 50 connections per IP
QS_SrvMaxConnPerIP 50
# maximum number of active TCP connections is limited to 256
MaxClients 256
# disables keep-alive when 70% of the TCP connections are occupied:
QS_SrvMaxConnClose 70%
# minimum request/response speed (deny slow clients blocking the server, ie. slowloris keeping connections open without requesting anything):
QS_SrvMinDataRate 150 1200
# and limit request header and body (carefull, that limits uploads and post requests too):
# LimitRequestFields 30
# QS_LimitRequestBody 102400
</IfModule>