Date: Tue, 30 Jun 2009 13:17:42 +0200 Subject: Re: Beskyt Apache mod slowloris med Varnish From: Morten Winther <none@freebsd--mwi.dk.lh.bsd-dk.dk> To: bsd-dk@bsd-dk.dk
Den 24. jun. 2009 21.22 skrev <none@thomas--gibfest.dk.lh.bsd-dk.dk>:
>
> Hejsa,
>
> Jeg har med succes sat Varnish op til at beskytte Apache imod angreb fra
> det tool der hedder slowloris, som blev released i sidste uge. Her i
> aften til Happy Hacking sad vi og legede med forskellige måder at
> beskytte sin Apache på, og det fik givet mig blod på tanden til at få
> skrevet min fremgangsmåde ned.
Snakkede i også om ACCEPT_FILTER_HTTP?
Er det ikke netop en BSD feature som kan beskytte mod slowloris?
"FreeBSD features an accept_filter(9) mechanism which allows an
application to request that the kernel pre-process incoming connections.
For example, the accf_http(9) accept filter prevents accept(2) from
returning until a full HTTP request has been buffered.
No accept filters are enabled by default. A system administrator must
either compile the FreeBSD kernel with a particular accept filter
option (such as ACCEPT_FILTER_HTTP) or load the filter using
kldload(8) in order to utilize accept filters."
The resolution to the above problem is to a accf_http module, which
function is to buffer incoming connections until a certain complete
HTTP requests arrive, into FreeBSD kernel by using kernel linker:
kldload accf_http
To permanently load enable HTTP Accept Filter FreeBSD kernel module
(accf_http), add the following line into /boot/loader.conf:
accf_http_load=”YES”
Note: The default settings is located in /boot/defaults/loader.cnf. To
see the related settings about accf, use:
grep accf /boot/defaults/loader.conf
which will returns:
accf_data_load=”NO” # Wait for data accept filter
accf_http_load=”NO” # Wait for full HTTP request accept filter
This archive was generated by hypermail 2b30 : Tue 30 Jun 2009 - 23:00:01 CEST