Defenderse de slowloris

Parece que, por el momento, definitivamente la mejor manera de contrarestar Slowloris sin modificar la configuración de Apache y sin asumir riesgos de disponibilidad es utilizar delante otro servidor web no vulnerable, como haproxy.

Si no se desea utilizar otro servidor web adicional se puede utilizar IPTABLES con el módulo connlimit (fig.1) o, ya a nivel de aplicación, utilizar el módulo de Apache mod_qos en conjunción con el mod_noloris (fig.2).

fig.1:

# /sbin/iptables -A INPUT -p tcp –syn –dport 80:443 -m connlimit –connlimit-above 12 –connlimit-mask 24 -j REJECT


fig.2:

# minimum request/response speed
QS_SrvMinDataRate 150 1200


No obstante, tal y comentamos, parece que lo más sencillo y seguro por el momento es usar un servidor web no vulnerable delante.

Para probar a contrarestar el ataque Slowloris, podemos modificar el puerto de nuestro servidor apache (8080) e instalar el servidor haproxy delante (80):


/home/usuario/haproxy-1.3.20 # wget <http://haproxy.1wt.eu/download/1.3/examples/antidos.cfg>
=> `antidos.cfg'
Proxy request sent, awaiting response... 200 OK
Length: 2,014 (2.0K) [text/plain]



100%[=======================================================================
===========>] 2,014 --.--K/s

00:54:38 (53.35 MB/s) - `antidos.cfg' saved [2014/2014]



/home/usuario/haproxy-1.3.20 # haproxy -?
HA-Proxy version 1.3.20 2009/08/09
Copyright 2000-2009 Willy Tarreau < <mailto:w@1wt.eu> w@1wt.eu>



Usage : haproxy [-f ]* [ -vdVD ] [ -n ] [ -N ]
[ -p ] [ -m ]
-v displays version ; -vv shows known build options.
-d enters debug mode ; -db only disables background mode.
-V enters verbose mode (disables quiet mode)
-D goes daemon
-q quiet mode : don't display messages
-c check mode : only check config files and exit
-n sets the maximum total # of connections (2000)
-m limits the usable amount of memory (in MB)
-N sets the default, per-proxy maximum # of connections (2000)
-p writes pids of all children to this file
-sf/-st [pid ]* finishes/terminates old pids. Must be last arguments.

/home/usuario/haproxy-1.3.20 # haproxy -f antidos.cfg



Una vez instalado haproxy, procedemos a lanzar el ataque para comprobar si es vulnerable:










Y efectivamente, comprobamos que nuestro servidor web deja de ser vulnerable a Slowloris:



/home/usuario/haproxy-1.3.20 # tail -f /var/log/apache2/error_log
[Wed Sep 16 23:36:52 2009] [error] [client 172.20.32.223] Directory index forbidden by Options directive: /srv/www/htdocs/
[Wed Sep 16 23:36:53 2009] [error] [client 172.20.32.223] Directory index forbidden by Options directive: /srv/www/htdocs/
[Thu Sep 17 00:48:04 2009] [notice] caught SIGTERM, shutting down [Thu Sep 17 00:48:05 2009] [warn] Init: Session Cache is not configured [hint: SSLSessionCache]
[Thu Sep 17 00:48:05 2009] [notice] mod_antiloris 0.4 started
[Thu Sep 17 00:48:05 2009] [notice] Apache/2.2.13 (Linux/SUSE)
mod_ssl/2.2.13 OpenSSL/0.9.8a configured -- resuming normal operations
[Thu Sep 17 00:48:32 2009] [error] [client 172.20.32.223] Directory index forbidden by Options directive: /srv/www/htdocs/
[Thu Sep 17 00:56:00 2009] [error] [client 172.20.32.223] Directory index forbidden by Options directive: /srv/www/htdocs/
[Thu Sep 17 00:56:04 2009] [error] [client 127.0.0.1] Directory index forbidden by Options directive: /srv/www/htdocs/
[Thu Sep 17 00:56:07 2009] [error] [client 127.0.0.1] Directory index forbidden by Options directive: /srv/www/htdocs/

Comentarios