Mitigating slowloris attack


Well-Known Member
Aug 23, 2012
cPanel Access Level
Reseller Owner
I am randomly getting slowloris style attacks on my server. Using the info found on here and other places I have determined that the attacks are primarily coming from a large block of IP's in Singapore that all begin with the number 47.128.xx.xx. This started a few days ago and seems to come back every 6-8 hours.

I heard about mod_qos but when I try to add it to my easy apache it tells me that it has to uninstall some things that I am unaware of whether it is important or not:

The following conflicts are installed on this machine. They will be removed as part of this package selection:
  • mod_mpm_prefork
  • mod_cgi
The following requirements are not installed on this machine. They will be added as part of this package selection:
  • mod-qos
  • mod_mpm_worker
  • mod_cgid

Do I need to worry about any of this? Or should I just go ahead and install mod_qos?

I also see that mod_reqtimeout is also suggested and that one shows no conflicts when I have easy apache review the build. However the docs I have seen about that don't tell me much about configuring it. Do I just build it into apache and it will work out of the box?

As a last resort would it be adequate for now to take the easy way and just geo block Singapore since I know I will not be getting any legitimate traffic from there based on my server's content?
Last edited by a moderator:


Well-Known Member
Jun 23, 2020
cPanel Access Level
Root Administrator
Here is all the information with regards to the module differences.
The Prefork MPM is designed to handle multiple incoming connections by creating multiple processes, each of which can handle a single connection at a time. This design is best suited for applications that require a high degree of stability and robustness, as it ensures that a single client request cannot crash the entire server. Additionally, since each process runs in its own memory space, there is a reduced risk of one client’s request affecting the performance of another.

On the other hand, the Worker MPM is designed to handle multiple connections using multiple threads within a single process. This design is more resource-efficient than the Prefork MPM, as it requires less memory and can handle more connections simultaneously. However, this design also means that a single client request has the potential to crash the entire server, so it may not be suitable for applications that require a high degree of stability.
This module is used by default instead of mod_cgi whenever a multi-threaded MPM is selected during the compilation process. At the user level, this module is identical in configuration and operation to mod_cgi. The only exception is the additional directive ScriptSock which gives the name of the socket to use for communication with the cgi daemon.
To simply MPM Worker is required for mod-qos to work in addition of by design being able to reduce the resource use compared to the default module and mod-cgi to mod-cgid switchover is a byproduct because cgid is better designed for multi-threading and thus set as dependency though in theory it should work with cgi but not recommended.

However cPanel recommends using mod_reqtimeout instead of mod-qos

They require no additional changes to MPM or cgi so best of both worlds while offering a simular defence.
In addition since 2.2.15 Apache itself recommends using mod_reqtimeout.

Below a screen of ea4 change review with cgi and prefork installed.