Protecting Debian Lenny against Slowloris Denial of Service attack with mod_antiloris

Wednesday, 28th April 2010

I’ve written in my previous posts some possible ways to protect against slowloris on Debian with the mod_qos module.
For more on mod_qos see here

This solution to the denial of service attack against which probably at least 40 percents of the Apache webservers online are still vulnerable is not really applicable on 64 bit Debian GNU Linux.
I installed the mod-qos on a Debian Linux running an amd64 bit kernel and used the Apache server with this module for just a few days on a newly configured productive Linux server running mostly some PHP applications based on top of Zend Framework .
At first all looked fine, the mod-qos was up and running and defending the Apache Webserver from the nasty slowloris DoS attack, however at a certain point.
The PHP application developers reported that Apache is crashing while executing some of the PHP codes developed by the programmers team.
After quick examination of the Apache error logs I realized the Apache crashes are caused by misbehaving behavior of the mod-qos module.

Realizing that mod_qos is creating the Apache segfaults on the amd64 architecture I abandoned the idea of using it and after a some time spend in researching what can I use as a substitute to protect against the Slowloris DoS attack I found the mod_antiloris.
Mod_antiloris is a tiny Apache module dedicated only as a work around (fix) for Apache against the Slowloris denial of service.

Though the package is officially included as a package for Debian Sid and is in the testing/unstable Debian repositories.
It’s still not available via official Debian repositories in Lenny, neither through Debian Lenny backports.

Therefore the only way to install this In my humble view compulsory module to guarantee some security against modern Denial of Service Attacks, you will need to compile the module from source.
So here is how to install the mod_antiloris module on Debian Lenny via source:

1. Download and untar (unarchive) the mod_antiloris

debian-server:~# wget ftp://ftp.monshouwer.eu/pub/linux/mod_antiloris/mod_antiloris-0.4.tar.bz2
debian-server:~# tar -jxvvf mod_antiloris-0.4.tar.bz2
debian-server:~# cd mod_antiloris-0.4/

2. Install necessery header files and Apache development programs necessery for the compilation of mod_antiloris

debian-server:~# apt-get install gcc apache2-threaded-dev

3. Compile the mod_antiloris module

debian-server:~# /usr/bin/apxs2 -i -c mod_antiloris.c

4. Create necessery configuration files and Enable the mod_antiloris module in Apache

debian-server:~# echo "LoadModule antiloris_module /usr/lib/apache2/modules/mod_antiloris.so" > /etc/apache2/mods-available/antiloris.load
debian-server:~# a2enmod antiloris
Enabling module antiloris.
Run '/etc/init.d/apache2 restart' to activate new configuration!

5. Restart the Apache WebServer

debian-server~:~# /etc/init.d/apache2 restart

6. Use the slowloris.pl Denial of Service tool to ensure yourself Apache is Secured by mod_antiloris and no longer vulnerable to the slowloris attack

debian-server:~# perl slowloris.pl -dns yourdomainname.com -port 80 -timeout 1 -num 200 -cache

Open an SSH connection to some free shell with a a text browser lynx or links or some other Linux system you have access to or use some proxy to test if your WebServer is responding while the above attack is taking action.
In case if after the test your webserver opens normally your hosted webpages then congrats you’re secure!
You can sleep well at night with less worries about Denial of Service attacks 🙂

Share this on:

Download PDFDownload PDF

Tags:

One Response to “Protecting Debian Lenny against Slowloris Denial of Service attack with mod_antiloris”

  1. Drew says:
    IceWeasel 3.0.6 IceWeasel 3.0.6 Debian GNU/Linux Debian GNU/Linux
    Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.19) Gecko/2010033100 Iceweasel/3.0.6 (Debian-3.0.6-3)

    Thank you! I was getting really frustrated with the way this bug is being handled.

    I built up iptables and installed mod_antiloris — tested with the script and even flooded the webserver with 5 bots simultaneously. Worked like a charm.

    Why does 1994 keep happening over and over? Script kiddies be damned.

    View CommentView Comment

Leave a Reply

CommentLuv badge