1. What is a slow connection attack
Slow HTTP denial-of-service attack is an application-layer denial-of-service attack aimed specifically at the Web. The attacker manipulates bots on the network to attack the target Web server with a large number of HTTP requests until the server bandwidth is fully utilized, resulting in a denial of service. ( Paralyzed target server )
2. Types of Slow Connection Attacks
Slow connection attacks mainly include the following types:
1. Slow headers attack
The attacker initiates an HTTP request to the server and continuously sends HTTP headers. The server needs to receive all HTTP headers before processing the request. Since the HTTP headers are constantly being sent by the attacker, the server will never be able to finish receiving them. The server's web container will soon be filled with TCP connections by the attacker, and will no longer receive new requests, eventually refusing to serve.
2. Slow body attack
The attacker sends a POST request to the target server. The server thinks that it will receive a large amount of data and remains connected, but the attacker sends data at a speed of 10S-100s per byte. After similar connections are continuously increased, server resources are massively Consumption, eventually reaching the limit of denial of service.
3. Slow read attack
After the attacker establishes a connection with the server, he will send a complete request to the server, keep the connection, and then read the Response at a very low speed, or make the server think that the client is busy, consuming the connection and memory resources of the server.
solution
Different servers have different defense methods against slow http denial of service attacks. It is recommended to use the following measures to prevent slow http denial of service attacks:
lighttpd
Add configuration in lighttpd.conf configuration
server.modules= ( "mod_evasive", //开启防御模块
)
evasive.max-conns-per-ip = 30//限制单独IP能连接到服务器的并发连接数量
server.max-keep-alive-idle = 60 //一个常连接的最大持续时间(秒)。同样对于非并发可以设置小些根据实际情况越小越好
server.max-read-idle = 60// 一个等待的,并非常连接的read调用超时并关闭连接前的最大时间(秒)根据实际情况越小越好 WebSphere
1. To limit the size of HTTP data, make the following settings in WebSphere Application Server:
The default maximum size of any single HTTP header is 32768 bytes. It can be set to a different value.
The default maximum number of HTTP headers is 50. It can be set to a different limit value.
Another common DOS attack is to send a request that results in a long-running GET request. The ServerIOTimeoutRetry property in the WebSphere Application Server Plug-in limits the number of retries for any request. This reduces the impact of such long-running requests.
Set limits the maximum size of any request body.
2. Set keepalive parameters
Open the ibm http server installation directory, open the folder conf, open the file httpd.conf, find the KeepAlive value, change ON to OFF, and the default is ON.
This value indicates whether to keep the connection between the client and the HTTP SERVER. If it is set to ON, the request will be queued when the number of requests reaches the MaxKeepAliveRequests setting value, resulting in slow response.
See the reference link for details: www.ibm.com/developerwo…
Weblogic
1. In the configuration management interface, under Protocol -> General Information, set the completion message timeout to less than 2002. In the configuration management interface, under Protocol -> HTTP, set the POST timeout, duration, and maximum POST size to a safe value range.
Nginx
1. By adjusting the $ request_Method, the configuration server accepts the operation limit of the http package; 2. Under the premise of ensuring the business is not affected, adjust the client_max_body_size, client_body_size, client_header_buffer_size, lar GE_Client_Header_BuffersClient_body_timeout, Client_Header_timeout, can increase appropriate For sessions or the same ip address, you can use the HttpLimitReqModule and HttpLimitZoneModule parameters to limit the amount of requests or the number of concurrent connections; 4. According to the size of the CPU and load, configure the values of worker_processes and worker_connections, the formula is: max_clients = worker_processes * worker_connections.
Apache
It is recommended to use mod_reqtimeout and mod_qos to cooperate with each other for protection. 1. mod_reqtimeout is used to control the rate at which requests are sent on each connection. Configuration example:
请求头部分,设置超时时间初始为10秒,并在收到客户端发送的数据后,每接收到500字节数据就将超时时间延长1秒,但最长不超过40秒。可以防护slowloris型的慢速攻击。
RequestReadTimeout header=10-40,minrate=500 For the request body part, set the timeout time to 10 seconds initially, and after receiving the data sent by the client, extend the timeout time by 1 second for every 500 bytes of data received, but the longest timeout does not exceed 40 seconds. It can protect against slow message body attacks. RequestReadTimeout body=10-40, minrate=500 It should be noted that for HTTPS sites, the initial timeout period needs to be increased, for example, adjusted to 20 seconds.
Example:
LoadModule reqtimeout_module modules/mod_reqtimeout.so
<IfModule reqtimeout_module>RequestReadTimeout header=10-40,minrate=500 body=10-40,minrate=500
</IfModule> 2. mod_qos is used to control the number of concurrent connections. Configuration example:
#当服务器并发连接数超过600时,关闭keepalive
QS_SrvMaxConnClose 600 Limit the maximum number of concurrent connections per source IP to 50
QS_SrvMaxConnPerIP 50
这两个数值可以根据服务器的性能调整。 More about qos_module configuration reference: mod-qos.sourceforge.net/dos.html
Example:
LoadModule qos_module modules/mod_qos.so
<IfModule qos_module>
QS_SrvMaxConnClose 600
QS_SrvMaxConnPerIP 50
</IfModule> IHS server
Please install the latest patch first, then enable the mod_reqtimeout module, and add it to the configuration file: LoadModule reqtimeout_module modules/mod_reqtimeout.so Add configuration for the mod_reqtimeout module:
<IfModule mod_reqtimeout.c>
RequestReadTimeout header=10-40,MinRate=500 body=10-40,MinRate=500
</IfModule> For HTTPS sites, header=20-40, MinRate=500 are recommended. See: www-01.ibm.com/support/doc…
F5 load balancing repair suggestion
The F5 load balancing device has a corresponding protection module. If you do not purchase it, please refer to the detailed configuration process in the attachment. For the slow attack protection configuration of F5, please refer to the following link: support.f5.com/kb/en-us/so… devcentral.f5.com/articles/mi…
IIS server
IIS can configure the Web.config of related websites as follows: 1. WebLimits settings:
<configuration><system.applicationHost><webLimits connectionTimeout="00:00:30"headerWaitTimeout="00:00:10"dynamicIdleThreshold="150"minBytesPerSecond="512"/></system.applicationHost>
</configuration> Refer to the following link: docs.microsoft.com/en-us/iis/c… 2. headerLimits settings:
<configuration>
<system.webServer><security> <requestFiltering><requestLimits> <headerLimits> <add header="Content-type" sizeLimit="100" /> </headerLimits></requestLimits> </requestFiltering></security>
</system.webServer>
</configuration> Refer to the following link: docs.microsoft.com/enus/iis/co…