[Page Previous 1, 2]

Topic: mod_antiloris.c improved (v0.5.2) for Apache 2.2 and 2.4

[2]

Topic: mod_antiloris.c improved (v0.5.2) for Apache 2.2 and 2.4

[glsmith]

This is why I do not use the module and argued about all the targets. IMO, if a connection is marked "Closing," it's going to be closed quickly. I do not see how anyone could hang a connection that's in closing stage or graceful, but I'm no l33t h4xor.

To be honest, I see no purpose for anything beyond
case SERVER_BUSY_READ:
case SERVER_BUSY_WRITE:
case SERVER_BUSY_KEEPALIVE:

If you have short enough keepalives even the latter is of less use in my opinion but, that is just my opinion.

I use 0.4 which is specifically for SlowLoris, I have a page of almost 600 thumnails on an XP, XP has a 20 connection limitation. I have no problem serving this page with MAX_PER_IP 10, I also use mod_reqtimeout to handle the SlowHttp attack.

As with any module, I suppose there's a possibility that another module will not play nice in the sandbox. I do not have mod_cloudflare, so do not know.

[maskego]

How do I set the mod_reqtimeout?And,what is the suggestion of mod_reqtimeout setting ?

[maskego]

gl:

mod_antiloris seems can't to stop slowloris attack.The web service stops during slowloris attacking.(I make a test)

Is there any good idea to stop slowloris ?

[glsmith]

mod_reqtimeout should,

You asked about settings for it .. but you are going to just have to experiment on that one. It will not be the same for everyone. Try it's defaults (just load the module) .. if that it not enough .. lower the limits

by the way, is this mod_antiloris 0.5.1, or 0.4.1, or both?

[maskego]

gl:

I install both mod_reqtimeout and mod_antiloris 0.4 after google it.It seems doesn't take effects on my site.I use slowloris to test it.Web service stops during at attacking time.Maybe it's apache's destiny under slowloris attacking?Mod_antiloris just can mitigate slowloris attack not to stop it.

And,where can I get mod_antiloris 0.5.1, or 0.4.1 for apache 2.2.x?

Would you please to compile mod_antiloris 0.5.1, or 0.4.1 for apache 2.2.x?

[glsmith]

the only difference between 0.4 and 0.4.1 is that 0.4.1 can be built with Apache 2.4 as well as 2.2, nothing more.
Same with the difference with 0.5 & 0.5.1. 0.5 however targets other Slowloris type attacks.

If it brings down the Apache service then something else is wrong. What do you mean by brings down? The service actually stops?

Slowloris just hogs up all open connections, that is how it works. Once all the connections are in use, no one else can get into the server. Once the attack has stop, Apache should come back after a minute or two.

0.4 for Apache 2.2 is at the Apache Haus

0.5 for Apache 2.2 you can get from NewEraCracker on the first page of this thread. There is no reason to build 0.4.1 or 0.5.1 for Apache 2.2, after the compiler acts on the ifdef/else/endif, it just the same module.

[maskego]

When slowloris start to attack,I can't connect to the site anymore.That's why I don't know what stops of mod_antiloris.I am sure the mod_antiloris is installed correctly.After the slowloris stops,I can connect to site again.

What is the function of mod_antiloris?
To stop slowloris or mitigate slowloris?It's different.

Is there any good idea to stop slowloris actually?Or make other normal conection keep alive during attacking occurs.

[maskego]

gl:

Can you visit this page http://www.howtoforge.com/node/4644 ?

The mod_qos seems to be helpful to defend the slowloris attack.

Maybe apachehaus compiles it to give some to defend slowloris attacking.

download:http://sourceforge.net/projects/mod-qos/

[glsmith]

uses Unix timespec and I've not found a Windows equivalent yet ... so no.

Back to antiloris, are you using it's default settings, because I have people who claim it does work, tested with the slowloris script.
http://www.apachelounge.com/viewtopic.php?t=3137&start=0

However, if you are on WinXP, you only have like 20 connections, so you cannot configure mod_antiloris higher. Then of course you have to understand file sharing using up a couple, so it's not even 20 anymore.

If it's left at it's default of 5, it should work.

[maskego]

I set the mod_antiloris number to 10.I install it at win2003server.
I get the logs below wehn I use slowloris to test it.

At the same time,I can't connect to this site via another computer.Does it mean,the mod_antiloris can't stop the slowloris attacking?I think if the mod_antiloris takes effects,I can visit this site from another computer.Actually,when there is a slowloris attacking,the site's web service is temporary stop to all its visitors.

It's so strange.

My question is :Does mod_antiloris work fine?Does antiloris stop slowloris attack or mitigate it only?If I install mod_antiloris,when there is a slowloris attack,can I visit this site via another computer normally?

[glsmith]

That is mod_antiloris working right there.
Rejected = 403 error

Other users should be able to connect. That you cannot from another computer on your LAN may because Apache sees one IP regardless of which computer (cause of how your router handles loopback).

I have this problem, all computers inside the LAN show up as my router IP if I use my external domain name to get to the site. If I use my internal names, then it shows the LAN IPs of the different computer. Everyone outside shows up as their IP.

https://www.apachehaus.net <- Apache receives router ip
http://www.ah.lan <- Apache receives computer's proper LAN ip

Linksys, bleh!

[maskego]

gl,

I figure it out.
It's routers issue to lead in my confusing.

I try to connect from another routers's computer to test,it's successful to site.

You always hit the target of issue.

best regards.

[NewEraCracker]

Hello,

I've done some changes over mod_antiloris to fix some issues that have been reported.

Changes include removal of SERVER_CLOSING, SERVER_GRACEFUL state checking that were added in 0.5.0 and an improvement in socket handling with Apache 2.4 (taken the idea from mod_noloris).

diff --ignore-all-space -uN

[NewEraCracker]

Today I have made some long overdue improvements to mod_antiloris code and bumped version to 0.6.0

Some parts of the code have been partially rewritten, added options to limit different states and added an option to specify local IP address(es) that will be ignored from limiting (this is based in a patch for mod_limitipconn patch found in the net).

The default settings are now 10 connections per type, which means each client can make up to 30 connections. If those limits are still not sufficient they can be increased in configuration.

[glsmith]

Since it's what we do

2.4.x vc11 x64 & x86
2.4.x vc14 x64 & x86

http://www.apachehaus.com/cgi-bin/download.plx

Edit: 2018-03-22 01:00 UTC
2.2.x is end-of-life
VC9 we do not do anymore

[DnvrSysEngr]

GL:

Anyone ever tell you, "you the man!!!"

Thank you.