Project

General

Profile

Lighttpd and slowloris

Added by xmichielx about 15 years ago

Hi I am running CentOS 5 with Lighttpd and want to try Lighttpd as a replacement for my Apache based websites.
Mostly because it said that it can handle slowloris DoS attacks.
I tried the slowloris script on my default Lighttpd config but it seems Lighttpd is vulnerable to slowloris, or at least: my version and config.

My version:

[root@pcintelw01 wp]# rpm -qa | grep lighttpd
lighttpd-1.4.22-2.el5
lighttpd-fastcgi-1.4.22-2.el5

My config:
$HTTP["host"] =~ "(^|\.)paulluif\.nl$" {
server.document-root = "/var/www/www.paulluif.nl"
server.errorlog = "/var/log/lighttpd/paulluif-error.log"
accesslog.filename = "/var/log/lighttpd/paulluif-access.log"
server.error-handler-404 = "/e404.php"
}

Can anyone tell me if Lighttpd is vulnerable to Slowloris and what I can do to protect myself against its attack?

Thanks in advance.

Michiel


Replies (6)

RE: Lighttpd and slowloris - Added by icy about 15 years ago

However Slowloris is a different kind of attack than what you mentioned spaam. Slowloris holds up connections to fill some kind of limited resource like processes, threads or sockets.

This can be mitigated in two ways:

  1. Limit connections per IP
  2. Use a different concurrency model like Lighty which can handle a huge amount of connections using one thread/process

RE: Lighttpd and slowloris - Added by xmichielx about 15 years ago

The first one is not an option as you would limit a large group of users using NAT.
How do I accomplish the second one?

RE: Lighttpd and slowloris - Added by xmichielx about 15 years ago

To be more precies: Lighttpd and 1.4.26 and the default config is vulnerable.
I think every webserver is with its default config vulnerable to slowloris.
I found that using Nginx in front of Apache is the only default setup which is protecting against slowloris.
If someone has some tips for Lighttpd how to harden itself against slowloris, I am more then happy to receive such documentation :)

Regards,

Michiel

RE: Lighttpd and slowloris - Added by stbuehler about 15 years ago

You always have a connection limit. It is just a question how easily you can hit it; from localhost it will be pretty easy.
With async webservers like lighty you can just increase the limit, as it doesn't need many resources for a connection itself (unlike apache, which forks() in case of mpm-prefork).

RE: Lighttpd and slowloris - Added by xmichielx about 15 years ago

offcouse but is there a way how I can protect myself from the default slowloris scan aka:
perl slowloris.pl -dns website

With what settings can I stop a default slowloris attack?

    (1-6/6)