Page 1 of 1
Configuration to block SlowLoris
Posted: 29 Apr 2013, 14:25
by rogeriobrito
Hello all,
I've seen on the forums that I could block a Slowloris attack using Port Flood and Connection Tracking options.
What's the recommeded configuration for those options to correctly block the Slowloris attack?
Thanks a lot,
Rogerio
Re: Configuration to block SlowLoris
Posted: 30 Apr 2013, 02:26
by Sergio
The best option is to use Mod_QOS
Re: Configuration to block SlowLoris
Posted: 30 Apr 2013, 06:57
by nibb
rogeriobrito wrote:Hello all,
I've seen on the forums that I could block a Slowloris attack using Port Flood and Connection Tracking options.
What's the recommeded configuration for those options to correctly block the Slowloris attack?
Thanks a lot,
Rogerio
There is no recommended setting, it depend on the attack, (settings the attacker is using) so a high setting may be worthless if the atack is short and low but a setting to low would block real users. You need to find a combination after lots of testing which suits your server, as this would be different for each server (hardware and traffic it receives) and even services or type of users the server hosting.
Its similar to ask a my.cnf for MySQL or how many websites a server can host. Nobody except the system admin or someone with access can answer this question.
I would suggest you not to turn the options on, unless you are being under attack. Answer also depends on big your server is in terms of hardware to sustain it. Using a software firewall is only good to a point, then it will make the server suffers as well, in particular in low VPS settings, iptables will probably take your server down before the attack does, if it keeps up filling up.