Cenzic 232 Patent
Paid Advertising
web application security lab
« Web Server Log Forensics App Wanted
Turning XSS into Clickjacking »

Lighttpd and Slowloris

I had heard various different reports from people who use lighttpd during the initial investigation of slowloris that it was not vulnerable. But now I’m hearing differently. From Iraklis Alexios C. Mathiopoulos:

I just tested it on a fresh/default install of the latest lighttpd with a simple index.html page (no fastcgi this time). Consistent results, 4-5 seconds after I fire slowloris from host A to “attack” server B, server’s B is unresponsive. I’m checking from host C btw in order to minimize the risk of any dos appliances that might be in the way blocking requests. host A, server B, host C are all in different geographical locations.

As soon as I stop slowloris server B becomes responsive again. Interestingly enough top doesn’t show any change in cpu/mem usage during the attack.

Btw the targeted server is running Centos 5.4 64bit on an Intel i7 with 8GB ram.

Anyone have different results to share for lighttpd? About a year has come and gone and I haven’t heard any word from the Apache camp on a fix either. Anyone heard anything about a fix in Apache’s core web server?

This entry was posted on Monday, June 14th, 2010 at 9:12 am and is filed under Webappsec. Responses are currently closed, but you can trackback from your own site.

6 Responses to “Lighttpd and Slowloris”

  1. StalkR Says:
    June 14th, 2010 at 9:43 am

    Hello,
    As for Apache it’s not fixed in the core but a module has been released: mod_antiloris http://modules.apache.org/search.php?id=1783 http://packages.debian.org/sid/libapache2-mod-antiloris
    Regards,
    StalkR

  2. ck01 Says:
    June 15th, 2010 at 1:26 am

    Hello,

    mod_qos for apache2 works good for mee. See: http://www.howtoforge.com/how-to-defend-slowloris-ddos-with-mod_qos-apache2-on-debian-lenny

    Regards

    ck01

  3. guly Says:
    June 15th, 2010 at 4:12 am

    that’s what i hate about IT. they don’t fix things, they just wrote an anti-something function and go to bed.
    the half-full-glass view is that this approach give us a lot of work for the future ;)

  4. Iraklis Says:
    June 16th, 2010 at 1:12 am

    +1 on mod_antiloris, works fine.

    Half-full is always cheaper in the short term.

  5. Damien Says:
    June 17th, 2010 at 5:17 am

    The official (integrated in the vanilla distrib since 2.2.15) module related to slowloris-like attacks is mod_reqtimeout (http://httpd.apache.org/docs/2.2/mod/mod_reqtimeout.html).

    This module is enabled by default on Debian since 2.2.15-1 (http://packages.debian.org/changelogs/pool/main/a/apache2/current/changelog)

  6. flam Says:
    July 4th, 2010 at 5:45 pm

    One of the first articles (if not the first) that came out on defending from the attack: http://www.liranuna.com/securing-your-debian-server-against-slowloris/