Slowloris http DDoS attack - is LiteSpeed safe?

[closet geek]

Hi,

Please can someone confirm if LiteSpeed is vulnerable to this attack: http://ha.ckers.org/slowloris/?docid=EBFPB_IBPWZWR

Apache in most installations is, IIS isn't either is Lighttpd and Cherokee (as far as I understand).

Thanks.

[mistwang]

It can be easily fend off
http://www.litespeedtech.com/how-tos.html#qa_dos

[closet geek]

So the LiteSpeed DDoS settings are able to cope with this completely different type of DDoS?

[mistwang]

LSWS can limit the number of connections from one IP, once over the limit, all future connection requests will be dropped, so this type of attack wont affect LSWS.

[anewday]

I assume litespeed should be resilient to this new attack?

Quote:

Yesterday an interesting HTTP DoS tool has been released. The tool performs a Denial of Service attack on Apache (and some other, see below) servers by exhausting available connections. While there are a lot of DoS tools available today, this one is particularly interesting because it holds the connection open while sending incomplete HTTP requests to the server.

In this case, the server will open the connection and wait for the complete header to be received. However, the client (the DoS tool) will not send it and will instead keep sending bogus header lines which will keep the connection allocated.
The initial part of the HTTP request is completely legitimate:

GET / HTTP/1.1\r\n
Host: host\r\n
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)\r\n
Content-Length: 42\r\n

After sending this the client waits for certain time – notice that it is missing one CRLF to finish the header which is otherwise completely legitimate. The bogus header line the tools sends is currently:

X-a: b\r\n

Which obviously doesn't mean anything to the server so it keeps waiting for the rest of the header to arrive. Of course, this all can be changed so if you plan to create IDS signatures keep that in mind.

According to the web site where the tool was posted, Apache 1.x and 2.x are affected as well as Squid, so the potential impact of this tool could be quite high considering that it doesn't need to send a lot of traffic to exhaust available connections on a server (meaning, even a user on a slower line could possibly attack a fast server). Good news for Microsoft users is that IIS 6.0 or 7.0 are not affected.

At the moment I'm not sure what can be done in Apache's configuration to prevent this attack – increasing MaxClients will just increase requirements for the attacker as well but will not protect the server completely. One of our readers, Tomasz Miklas said that he was able to prevent the attack by using a reverse proxy called Perlbal in front of an Apache server.

We'll keep an eye on this, of course, and will post future diaries or update this one depending on what's happening. It will be interesting to see how/if other web servers as well as load balancers are resistant to this attack.

http://isc.sans.org/diary.html?storyid=6601

[grniyce]

Same thing applies; however, if you have CSF installed and you have SynFlood enabled, they could tie up all of your "half-open" connections, which is what is described above. It's not really a new attack. For me I just left the SynFlood portion of CSF set to 0, or disabled. LSWS effectively blocks those attacks also.

[anewday]

Same here with CSF, I just wanted to make sure litespeed drops these half open connections...

[anewday]

http://www.webhostingtalk.com/showpo...7&postcount=12

George, how does lsws compare to Apache + HAProxy against such attacks?

anti-dos config: http://haproxy.1wt.eu/download/1.3/examples/antidos.cfg

"More specifically, HAProxy will only forward complete and valid requests"

They say nginx would probably do equally well. btw, I assume lsws can handle "nkiller2" ?