10.29 Slow HTTP Denial of Service Attack (Slowloris)
弱點掃描偵測到Slow HTTP Denial of Service Attack弱點一隻
Server-Specific Recommendations
Applying the above steps to the HTTP servers tested in the previous article indicates the following server-specific settings:
Apache
- Using the <Limit> and <LimitExcept> directives to drop requests with methods not supported by the URL alone won’t help, because Apache waits for the entire request to complete before applying these directives. Therefore, use these parameters in conjunction with the LimitRequestFields, LimitRequestFieldSize, LimitRequestBody, LimitRequestLine, LimitXMLRequestBody directives as appropriate. For example, it is unlikely that your web app requires an 8190 byte header, or an unlimited body size, or 100 headers per request, as most default configurations have.
- Set reasonable TimeOut and KeepAliveTimeOut directive values. The default value of 300 seconds for TimeOut is overkill for most situations.
- ListenBackLog’s default value of 511 could be increased, which is helpful when the server can’t accept connections fast enough.
- Increase the MaxRequestWorkers directive to allow the server to handle the maximum number of simultaneous connections.
- Adjust the AcceptFilter directive, which is supported on FreeBSD and Linux, and enables operating system specific optimizations for a listening socket by protocol type. For example, the httpready Accept Filter buffers entire HTTP requests at the kernel level.
A number of Apache modules are available to minimize the threat of slow HTTP attacks. For example, mod_reqtimeout’s RequestReadTimeout directive helps to control slow connections by setting timeout and minimum data rate for receiving requests.
I also recommend switching apache2 to experimental Event MPM mode where available. This uses a dedicated thread to handle the listening sockets and all sockets that are in a Keep Alive state, which means incomplete connections use fewer resources while being polled.
| 欄位名稱 | 欄位內容 |
|---|---|
| 掃描工具 | Acunetix |
| 受測網址 | |
| 弱點網址 | |
| 掃描時間 | 2020-10-29 14:31:02 ~ 2020-10-29 14:51:00 |
| 風險等級 | MEDIUM |
| 受影響參數 | N/A |
| 弱點編號 | Slow HTTP Denial of Service Attack |
| 弱點名稱 | Slow HTTP Denial of Service Attack |
| 弱點描述 | Description: Your web server is vulnerable to Slow HTTP DoS (Denial of Service) attacks. Slowloris and Slow HTTP POST DoS attacks rely on the fact that the HTTP protocol, by design, requires requests to be completely received by the server before they are processed. If an HTTP request is not complete, or if the transfer rate is very low, the server keeps its resources busy waiting for the rest of the data. If the server keeps too many resources busy, this creates a denial of service. A single machine can take down another machine's web server with minimal bandwidth and side effects on unrelated services and ports. Recommendation: Consult Web references for information about protecting your web server against this type of attack. Slowloris和Slow HTTP POST DoS攻擊依賴於以下事實:根據設計,HTTP協議要求服務器在處理請求之前將其完全接收。如果HTTP請求未完成,或者傳輸速率非常低,則服務器將使其資源繁忙,以等待其餘數據。如果服務器使過多的資源繁忙,則會導致拒絕服務。 一台機器可以關閉另一台機器的Web服務器,而帶寬最小,並且對不相關的服務和端口產生副作用。 建議: 有關可保護Web服務器免受此類攻擊的信息,請查閱Web參考。 |
| Plugin發佈日期 | N/A |
| 掃描發現資訊 | Time difference between connections: 48300526 ms |
| 測試語法(Request) | N/A |
| 測試語法(Response) | N/A |
Slow HTTP Denial of Service Attack 是以緩速發出http request,耗用伺服器資源,達到癱瘓服務的目的,解決方案即是設定 Timeout
打開apache 設定檔,HP-UX位置是在/opt/hpws22/apache/conf/httpd.conf:
在最下方加入以下設定
RequestReadTimeout header=20-40,MinRate=500 body=20,MinRate=500
1 2 3 4 5 | 將#LoadModule reqtimeout_module modules/mod_reqtimeout.so改為LoadModule reqtimeout_module modules/mod_reqtimeout.so |
1 2 3 4 | <IfModule reqtimeout_modeule>RequestReadTimeout header=10-20,MinRate=500RequestReadTimeout body=10,MinRate=500</IfModule>resin沒有以上參數 調整maxIdelTime為5000 (millisecend) 弱點消失 |
留言
張貼留言