Si no se desea utilizar otro servidor web adicional se puede utilizar IPTABLES con el módulo connlimit (fig.1) o, ya a nivel de aplicación, utilizar el módulo de Apache mod_qos en conjunción con el mod_noloris (fig.2).
fig.1:
# /sbin/iptables -A INPUT -p tcp –syn –dport 80:443 -m connlimit –connlimit-above 12 –connlimit-mask 24 -j REJECT
fig.2:
# minimum request/response speed
QS_SrvMinDataRate 150 1200
No obstante, tal y comentamos, parece que lo más sencillo y seguro por el momento es usar un servidor web no vulnerable delante.
Para probar a contrarestar el ataque Slowloris, podemos modificar el puerto de nuestro servidor apache (8080) e instalar el servidor haproxy delante (80):
--00:54:37-- <http://haproxy.1wt.eu/download/1.3/examples/antidos.cfg>
=> `antidos.cfg'
Proxy request sent, awaiting response... 200 OK
Length: 2,014 (2.0K) [text/plain]
100%[=======================================================================
===========>] 2,014 --.--K/s
00:54:38 (53.35 MB/s) - `antidos.cfg' saved [2014/2014]
/home/usuario/haproxy-1.3.20 # haproxy -?
HA-Proxy version 1.3.20 2009/08/09
Usage : haproxy [-f ]* [ -vdVD ] [ -n ] [ -N ]
[ -p ] [ -m ]
-v displays version ; -vv shows known build options.
-d enters debug mode ; -db only disables background mode.
-V enters verbose mode (disables quiet mode)
-D goes daemon
-q quiet mode : don't display messages
-c check mode : only check config files and exit
-n sets the maximum total # of connections (2000)
-m limits the usable amount of memory (in MB)
-N sets the default, per-proxy maximum # of connections (2000)
-p writes pids of all children to this file
-sf/-st [pid ]* finishes/terminates old pids. Must be last arguments.
/home/usuario/haproxy-1.3.20 # haproxy -f antidos.cfg
Una vez instalado haproxy, procedemos a lanzar el ataque para comprobar si es vulnerable:
Y efectivamente, comprobamos que nuestro servidor web deja de ser vulnerable a Slowloris:
/home/usuario/haproxy-1.3.20 # tail -f /var/log/apache2/error_log
[Wed Sep 16 23:36:52 2009] [error] [client 172.20.32.223] Directory index forbidden by Options directive: /srv/www/htdocs/
[Wed Sep 16 23:36:53 2009] [error] [client 172.20.32.223] Directory index forbidden by Options directive: /srv/www/htdocs/
[Thu Sep 17 00:48:04 2009] [notice] caught SIGTERM, shutting down [Thu Sep 17 00:48:05 2009] [warn] Init: Session Cache is not configured [hint: SSLSessionCache]
[Thu Sep 17 00:48:05 2009] [notice] mod_antiloris 0.4 started
[Thu Sep 17 00:48:05 2009] [notice] Apache/2.2.13 (Linux/SUSE)
mod_ssl/2.2.13 OpenSSL/0.9.8a configured -- resuming normal operations
[Thu Sep 17 00:48:32 2009] [error] [client 172.20.32.223] Directory index forbidden by Options directive: /srv/www/htdocs/
[Thu Sep 17 00:56:00 2009] [error] [client 172.20.32.223] Directory index forbidden by Options directive: /srv/www/htdocs/
[Thu Sep 17 00:56:04 2009] [error] [client 127.0.0.1] Directory index forbidden by Options directive: /srv/www/htdocs/
[Thu Sep 17 00:56:07 2009] [error] [client 127.0.0.1] Directory index forbidden by Options directive: /srv/www/htdocs/
0 comentarios :
Publicar un comentario