https://www.owasp.org/images/0/04/Roberto_Suggi_Liverani_OWASPNZDAY2010-Defending_against_application_DoS.pdf
slowloris
http://www.huffingtonpost.co.uk/-frontier/slow-loris_b_8541930.html
消耗掉所有的线程。
Change http headers to simulate multiple connections/browsersExhaust all threads available
HTTP POST DoS
No delay in sending HTTP Headers (!= Slowloris)Content-Length = 1000 bytesHTTP message body is sent 1 byte each 110 seconds till thelast byteRequire a good number of threads per each machine–<10k connections to bring down Apache–~60k connections for IIS (if rapid fail protection is on)
HTTP Flooders/DDoS Attack
Most common L7 attack
Typically launched from botnets
Black Energy botnet C&C interface
Frequencies, thread and command option
Apache
Key Directives
Maxclients, Timeout, KeepAlive and KeepAlive Timeout
Traffic Shaping
mod_throttle
-
limit the frequency of requests allowed from a
single client within a window of time
mod_bwshare
-
bandwidth throttling by HTTP client IP address
mod_limitipconn
-
limit the number of simultaneous downloads
permitted from a single IP address
mod_dosevasive
-
detects too many connections and
temporaribly block offending IP address
mod_security
–
WAF, filtering, monitoring, loggi