A Slowloris or Slow HTTP DoS attack is a type of denial of service that can affect thread-based web servers such as Apache. This means that your Apache web servers for Faspex or Console are vulnerable to this attack (applications based on nginx, such as Shares, are safe).
The attack exploits the fact that Apache waits for complete HTTP headers to be received before closing an HTTP connection. This means that an attacker can send multiple incomplete GET requests and keep the connections open in order to block other users from getting their requests processed by the server.
Apache does have a default timeout of 300 seconds after which it stops waiting for incomplete HTTP headers and closes the connection, but since the timeout is reset once the client sends more data, an attacker can just continue to send garbage data and keep the connection open.
In order to prevent this kind of attack, you can use Apache’s
reqtimeout module to configure the timeout process for HTTP requests.
As of Common 1.1.25 for Faspex and Common 1.2.20 for Console the
reqtimeout is included by default. If you have an earlier version of Common, we encourage you to upgrade for added security benefits. If you prefer not to upgrade you will need to add the
reqtimeout module yourself.
You can check your version of Common by running the following command:
1. Look for a file named
reqtimeout at the following location and open it in a text editor:
C:\Program Files (x86)\Common Files\Aspera\Common\apache\custom\reqtimeout.conf
This is a configuration file that will be preserved after any upgrades since it is in the custom folder.
2. In the
reqtimeout file, paste the following content:
<IfModule mod_reqtimeout.c> RequestReadTimeout header=20-40,MinRate=500 body=20-40,MinRate=500 LimitRequestFields 100 LimitRequestFieldSize 8190 LimitRequestBody 102400 LimitRequestLine 4094 TimeOut 60 ListenBacklog 1000 KeepAliveTimeout 5 </IfModule>
The configurations above are a suggested starting point, but you may need to tweak the individual settings to best suit your setup.
This configuration is doing the following:
- Apache will wait 20 seconds for header data. As long as the client sends header data at a rate of 500 bytes per second, the server will wait up to 40 seconds for the headers to complete.
- Apache will wait 20 seconds for body data. As long as the client sends header data at a rate of 500 bytes per second, the server will wait up to 40 seconds for the body of the request to complete.
- Apache will limit various parts of the request body, including the number of request fields, the size of request fields, and the request line, as well as various time out properties.
4. Restart Apache