Web 服务器 low bandth DOS attack

https://www.owasp.org/images/0/04/Roberto_Suggi_Liverani_OWASPNZDAY2010-Defending_against_application_DoS.pdf

 

 slowloris

http://www.huffingtonpost.co.uk/-frontier/slow-loris_b_8541930.html

• 蜂猴 懒猴

• slow:    adj. 1.慢的，缓慢的 (opp. fast; qu ...
• loris:    n. (pl. loris) 【动物；动物学】懒猴属；懒 ...

 

消耗掉所有的线程。

Change http headers to simulate multiple connections/browsers



Exhaust all threads available

HTTP POST DoS

 

No delay in sending HTTP Headers (!= Slowloris)



Content

-

Length = 1000 bytes



HTTP message body is sent 1 byte each 110 seconds till the

last byte



Require a good number of threads per each machine

–

<10k connections to bring down Apache

–

~60k connections for IIS (if rapid fail protection is on)

 

HTTP Flooders/DDoS Attack

Most common L7 attack



Typically launched from botnets



Black Energy botnet C&C interface



Frequencies, thread and command option

 

 

 

Apache

Key Directives



Maxclients, Timeout, KeepAlive and KeepAlive Timeout



Traffic Shaping



mod_throttle

-

limit the frequency of requests allowed from a

single client within a window of time



mod_bwshare

-

bandwidth throttling by HTTP client IP address



mod_limitipconn

-

limit the number of simultaneous downloads

permitted from a single IP address



mod_dosevasive

-

detects too many connections and

temporaribly block offending IP address



mod_security

–

WAF, filtering, monitoring, loggi