[Stricker]

Compile and configure mod_qos to prevent
Slowloris DDOS on Apache

mod_qos is becoming a very popular module for Apache, from the discover of Slowloris DDoS Attack. It seems, mod_qos is the best solution for Slowloris attack on Apache 2, but you can also check mod_evasive, mod_security or http accelerator“Varnish”. In this post I will try to present a step by step tutorial how to install mod_qos and configure to prevent Slowloris DDoS attack.

First you should install dev packages to compile mod_qos

Code:

apt-get install apache2-threaded-dev libgnutls-dev libssl-dev gcc make

Now download the latest version of mod_qos from:Sourceforge.net

Code:

$ cd /usr/src
$ wget http://downloads.sourceforge.net/project/mod-qos/9.17/mod_qos-9.17.tar.gz?use_mi
$ tar -xzf mod_qos-9.17.tar.gz

Now you can build the module

Code:

$ cd mod_qos-9.17/apache2/
$ apxs2 -i -c mod_qos.c

You should see the module compiling and if is everything ok the last lines of compile output should be:

Code:

cp .libs/mod_qos.so /usr/lib/apache2/modules/mod_qos.so
    cp .libs/mod_qos.lai /usr/lib/apache2/modules/mod_qos.la
    PATH=”$PATH:/sbin” ldconfig -n /usr/lib/apache2/modules
    ———————————————————————-
    Libraries have been installed in:
    /usr/lib/apache2/modules
    If you ever happen to want to link against installed libraries
    in a given directory, LIBDIR, you must either use libtool, and
    specify the full pathname of the library, or use the `-LLIBDIR’
    flag during linking and do at least one of the following:
    – add LIBDIR to the `LD_LIBRARY_PATH’ environment variable
    during execution
    – add LIBDIR to the `LD_RUN_PATH’ environment variable
    during linking
    – use the `-Wl,–rpath -Wl,LIBDIR’ linker flag
    – have your system administrator add LIBDIR to `/etc/ld.so.conf’
    See any operating system documentation about shared libraries for
    more information, such as the ld(1) and ld.so(8) manual pages.
    ———————————————————————-
    chmod 644 /usr/lib/apache2/modules/mod_qos.so

If you want to compile qslog just run the following commands:

Code:

$ cd /usr/src/mod_qos-9.17/tools
$ make
$ cp qslog /usr/local/bin/

Now you should configure mod_qos. In /etc/apache2/mods-
available/ add 2 files:

1. qos.load with the following content:

Code:

LoadModule qos_module /usr/lib/apache2/modules/mod_qos.so

2. qos.conf with the following content:

Code:

## QoS Settings
# handles connections from up to 100000 different IPs
QS_ClientEntries 100000
# will allow only 50 connections per IP
QS_SrvMaxConnPerIP 50
# maximum number of active TCP connections is limited to 256
MaxClients 256
# disables keep-alive when 70% of the TCP connections are occupied:
QS_SrvMaxConnClose 180
# minimum request/response speed (deny slow clients blocking the server, ie. slowloris keeping
QS_SrvMinDataRate 150 1200
# and limit request header and body (carefull, that limits uploads and post requests too):
# LimitRequestFields 30
# QS_LimitRequestBody 102400

Now you should enable the module and restart Apache.

Code:

$ a2enmod qos
$ /etc/init.d/apache2 restart

Now you are ready.

To see the attacks from logs you can use qslogs:

Code:

$ cat /var/log/apache2/access.log | qslog -f ..IR.B.T -o /tmp/stat_log -p

That's all,Hope my post will help everyone,Rep+ will be appreciated.

[unknownAttacker]

nice one, but does it prevent distributed Slowloris attacks? would like to know, I have a Slowloris botnet

[Stricker]

Yes bro,it should be,but not every website know about this protection,