Mitigating slowloris attack

[maestroc]

I am randomly getting slowloris style attacks on my server. Using the info found on here and other places I have determined that the attacks are primarily coming from a large block of IP's in Singapore that all begin with the number 47.128.xx.xx. This started a few days ago and seems to come back every 6-8 hours.

I heard about mod_qos but when I try to add it to my easy apache it tells me that it has to uninstall some things that I am unaware of whether it is important or not:

The following conflicts are installed on this machine. They will be removed as part of this package selection:

• mod_mpm_prefork
• mod_cgi

The following requirements are not installed on this machine. They will be added as part of this package selection:

• mod-qos
• mod_mpm_worker
• mod_cgid

Do I need to worry about any of this? Or should I just go ahead and install mod_qos?

I also see that mod_reqtimeout is also suggested and that one shows no conflicts when I have easy apache review the build. However the docs I have seen about that don't tell me much about configuring it. Do I just build it into apache and it will work out of the box?

As a last resort would it be adequate for now to take the easy way and just geo block Singapore since I know I will not be getting any legitimate traffic from there based on my server's content?

 

[cPRex]

Hey there! If you have the range of IP addresses, I'd just block the range in the firewall. That way, no customizations are needed on the server side and you don't have to change your otherwise-working Apache configuration.

 

[ITHKBO]

Here is all the information with regards to the module differences.

Comparing Linux Apache Prefork vs Worker MPMs

... Read more

linuxconfig.org

The Prefork MPM is designed to handle multiple incoming connections by creating multiple processes, each of which can handle a single connection at a time. This design is best suited for applications that require a high degree of stability and robustness, as it ensures that a single client request cannot crash the entire server. Additionally, since each process runs in its own memory space, there is a reduced risk of one client’s request affecting the performance of another.

On the other hand, the Worker MPM is designed to handle multiple connections using multiple threads within a single process. This design is more resource-efficient than the Prefork MPM, as it requires less memory and can handle more connections simultaneously. However, this design also means that a single client request has the potential to crash the entire server, so it may not be suitable for applications that require a high degree of stability.

mod_cgid - Apache HTTP Server Version 2.4

This module is used by default instead of mod_cgi whenever a multi-threaded MPM is selected during the compilation process. At the user level, this module is identical in configuration and operation to mod_cgi. The only exception is the additional directive ScriptSock which gives the name of the socket to use for communication with the cgi daemon.

To simply MPM Worker is required for mod-qos to work in addition of by design being able to reduce the resource use compared to the default module and mod-cgi to mod-cgid switchover is a byproduct because cgid is better designed for multi-threading and thus set as dependency though in theory it should work with cgi but not recommended.


However cPanel recommends using mod_reqtimeout instead of mod-qos

How to Mitigate Slowloris Attacks | cPanel & WHM Documentation

This document provides several methods to mitigate the impact of Slowloris attacks.

docs.cpanel.net

They require no additional changes to MPM or cgi so best of both worlds while offering a simular defence.
In addition since 2.2.15 Apache itself recommends using mod_reqtimeout.

mod_reqtimeout - Apache HTTP Server Version 2.4

Below a screen of ea4 change review with cgi and prefork installed.