Lighttpd and slowloris
Added by xmichielx over 15 years ago
Hi I am running CentOS 5 with Lighttpd and want to try Lighttpd as a replacement for my Apache based websites.
Mostly because it said that it can handle slowloris DoS attacks.
I tried the slowloris script on my default Lighttpd config but it seems Lighttpd is vulnerable to slowloris, or at least: my version and config.
My version:
[root@pcintelw01 wp]# rpm -qa | grep lighttpd
lighttpd-1.4.22-2.el5
lighttpd-fastcgi-1.4.22-2.el5
My config:
$HTTP["host"] =~ "(^|\.)paulluif\.nl$" {
server.document-root = "/var/www/www.paulluif.nl"
server.errorlog = "/var/log/lighttpd/paulluif-error.log"
accesslog.filename = "/var/log/lighttpd/paulluif-access.log"
server.error-handler-404 = "/e404.php"
}
Can anyone tell me if Lighttpd is vulnerable to Slowloris and what I can do to protect myself against its attack?
Thanks in advance.
Michiel
Replies (6)
RE: Lighttpd and slowloris - Added by spaam over 15 years ago
it was until version 1.4.26. so upgrade to 1.4.26.
http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2010_01.txt
RE: Lighttpd and slowloris - Added by icy over 15 years ago
However Slowloris is a different kind of attack than what you mentioned spaam. Slowloris holds up connections to fill some kind of limited resource like processes, threads or sockets.
This can be mitigated in two ways:
- Limit connections per IP
- Use a different concurrency model like Lighty which can handle a huge amount of connections using one thread/process
RE: Lighttpd and slowloris - Added by xmichielx over 15 years ago
The first one is not an option as you would limit a large group of users using NAT.
How do I accomplish the second one?
RE: Lighttpd and slowloris - Added by xmichielx over 15 years ago
To be more precies: Lighttpd and 1.4.26 and the default config is vulnerable.
I think every webserver is with its default config vulnerable to slowloris.
I found that using Nginx in front of Apache is the only default setup which is protecting against slowloris.
If someone has some tips for Lighttpd how to harden itself against slowloris, I am more then happy to receive such documentation :)
Regards,
Michiel
RE: Lighttpd and slowloris - Added by stbuehler over 15 years ago
You always have a connection limit. It is just a question how easily you can hit it; from localhost it will be pretty easy.
With async webservers like lighty you can just increase the limit, as it doesn't need many resources for a connection itself (unlike apache, which forks() in case of mpm-prefork).
RE: Lighttpd and slowloris - Added by xmichielx over 15 years ago
offcouse but is there a way how I can protect myself from the default slowloris scan aka:
perl slowloris.pl -dns website
With what settings can I stop a default slowloris attack?