Preventing Apache’s SlowLoris vulnerability for Faspex or Console

Description

A Slowloris or Slow HTTP DoS attack is a type of denial of service that can affect thread-based web servers such as Apache. This means that your Apache web servers for Faspex or Console are vulnerable to this attack (applications based on nginx, such as Shares, are safe).

The attack exploits the fact that Apache waits for complete HTTP headers to be received before closing an HTTP connection. This means that an attacker can send multiple incomplete GET requests and keep the connections open in order to block other users from getting their requests processed by the server.

Apache does have a default timeout of 300 seconds after which it stops waiting for incomplete HTTP headers and closes the connection, but since the timeout is reset once the client sends more data, an attacker can just continue to send garbage data and keep the connection open.

Solution

In order to prevent this kind of attack, you can use Apache’s reqtimeout module to configure the timeout process for HTTP requests.

As of Common 1.1.25 for Faspex and Common 1.2.20 for Console the reqtimeout is included by default. If you have an earlier version of Common, we encourage you to upgrade for added security benefits. If you prefer not to upgrade you will need to add the reqtimeout module yourself.

You can check your version of Common by running the following command:

asctl all:version

1. Look for a file named reqtimeout at the following location and open it in a text editor:

  • Linux: /opt/aspera/common/apache/custom/reqtimeout.conf
  • Windows: C:\Program Files (x86)\Common Files\Aspera\Common\apache\custom\reqtimeout.conf

This is a configuration file that will be preserved after any upgrades since it is in the custom folder.

2. In the reqtimeout file, paste the following content:

<IfModule mod_reqtimeout.c>
RequestReadTimeout header=20-40,MinRate=500 body=20-40,MinRate=500
LimitRequestFields 100
LimitRequestFieldSize 8190
LimitRequestBody 102400
LimitRequestLine 4094
TimeOut 60
ListenBacklog 1000
KeepAliveTimeout 5
</IfModule>

The configurations above are a suggested starting point, but you may need to tweak the individual settings to best suit your setup.

This configuration is doing the following:

  • Apache will wait 20 seconds for header data. As long as the client sends header data at a rate of 500 bytes per second, the server will wait up to 40 seconds for the headers to complete.
  • Apache will wait 20 seconds for body data. As long as the client sends header data at a rate of 500 bytes per second, the server will wait up to 40 seconds for the body of the request to complete.
  • Apache will limit various parts of the request body, including the number of request fields, the size of request fields, and the request line, as well as various time out properties.

4. Restart Apache

asctl apache:restart
Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.
Powered by Zendesk