---
id: 1aeb2fdc-deb3-4a25-9c25-eb2bb77bb6ae
---

# Slowloris Attack Detected on Apache server.
---

The Slowloris Attack is a type of Denial of Service (DoS) attack that exploits a vulnerability in the Apache web server. It works by sending HTTP requests to the server and keeping those connections open for as long as possible, thereby using up all the available resources of the server and rendering it unresponsive to legitimate requests. As a result, the server becomes slow or unresponsive, causing downtime for the affected website or service. This type of attack can be detected and mitigated by implementing specific security measures and tools.

### Parameters
```shell
export APACHE_PORT="PLACEHOLDER"

export INTERFACE="PLACEHOLDER"

export IP_ADDRESS="PLACEHOLDER"

export PATH_TO_APACHE_CONF_FILE="PLACEHOLDER"

export MAX_CONNECTIONS_PER_IP="PLACEHOLDER"

```

## Debug

### Check if Apache is running
```shell
systemctl status apache2
```

### Check Apache logs for any suspicious activity
```shell
tail -f /var/log/apache2/access.log
```

### Check active connections to the server
```shell
netstat -anp | grep ${APACHE_PORT}
```

### Check the number of connections per IP address
```shell
netstat -anp | grep ${APACHE_PORT} | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
```

### Check Apache server status for any suspicious activity
```shell
curl -I http://localhost/server-status
```

### Check Apache server configuration for any vulnerabilities
```shell
apache2ctl -t -D DUMP_MODULES
```

### Check for any active Slowloris attacks
```shell
tcpdump -i ${INTERFACE} 'tcp[20:2] == 0x4745'
```

### Block IPs with suspicious activity
```shell
iptables -A INPUT -s ${IP_ADDRESS} -j DROP
```

## Repair

### Configure the Apache server to limit the number of connections from a single IP address.
```shell
bash

#!/bin/bash



# Apache configuration file path

APACHE_CONF_PATH="${PATH_TO_APACHE_CONF_FILE}"



# Maximum number of connections per IP address

MAX_CONNECTIONS_PER_IP="${MAX_CONNECTIONS_PER_IP}"



# Get the current value of the MaxClients directive

MAX_CLIENTS=$(grep -oP 'MaxClients \K[0-9]+' $APACHE_CONF_PATH)



# Calculate the new value of the MaxClients directive

NEW_MAX_CLIENTS=$(expr $MAX_CLIENTS \* $MAX_CONNECTIONS_PER_IP)



# Update the MaxClients directive in the Apache configuration file

sed -i "s/MaxClients $MAX_CLIENTS/MaxClients $NEW_MAX_CLIENTS/g" $APACHE_CONF_PATH



# Restart the Apache service

systemctl restart apache2


```

### Install a rate-limiting module on the server to prevent excessive requests from any single IP address.
```shell


#!/bin/bash



# Install the mod_evasive Apache module

sudo apt-get update

sudo apt-get install libapache2-mod-evasive



# Configure mod_evasive to limit requests from a single IP address

sudo tee /etc/apache2/mods-available/mod-evasive.conf > /dev/null ${<EOF

<IfModule mod_evasive20.c}

    DOSHashTableSize 3097

    DOSPageCount 10

    DOSSiteCount 50

    DOSPageInterval 1

    DOSSiteInterval 1

    DOSBlockingPeriod 10

    DOSEmailNotify admin@domain.com

    DOSSystemCommand "sudo /usr/bin/logger -t mod_evasive -p local6.info"

    DOSLogDir "/var/log/apache2/"

    DOSWhitelist 127.0.0.1

${_IFMODULE}

EOF



# Enable the mod_evasive module and restart Apache

sudo a2enmod evasive

sudo systemctl restart apache2.service


```

The Slowloris Attack is a type of Denial of Service (DoS) attack that exploits a vulnerability in the Apache web server. It works by sending HTTP requests to the server and keeping those connections open for as long as possible, thereby using up all the available resources of the server and rendering it unresponsive to legitimate requests. As a result, the server becomes slow or unresponsive, causing downtime for the affected website or service. This type of attack can be detected and mitigated by implementing specific security measures and tools.


A DoS (Denial of Service) attack on a Tomcat server occurs when attackers flood the server with an overwhelming amount of traffic, causing the server to become unresponsive and unable to handle legitimate requests. This attack results in service disruptions, making the server unavailable to users. The goal of the DoS attack is to make the targeted service unavailable to its users, causing inconvenience or financial losses to the organization that operates the server.


DoS Attack on Tomcat Server

This incident type refers to an unauthorized access to directories in Apache HTTPD, which is a widely used web server software. It means that someone was able to access files or directories that they were not supposed to, without having proper authorization. This type of incident can potentially lead to sensitive data being exposed or even stolen, and can compromise the security of the server and the applications running on it.


Unauthorized Directory Access in Apache HTTPD.

This incident type refers to the detection of SQL injection attempts in Apache web server logs. SQL injection is a type of cyber attack that exploits vulnerabilities in web applications allowing attackers to execute malicious SQL statements. In this incident, attackers are attempting to inject SQL code into the URI (Uniform Resource Identifier) of an Apache web server, potentially compromising the server's security and exposing sensitive information.


Apache SQL Injection Attempts in URI Incident

This incident type refers to a security vulnerability in the SSL/TLS configuration of the Apache HTTP Server, which can leave the server and its users vulnerable to attacks. The SSL/TLS configuration is responsible for encrypting the communication between the server and its clients, and if it is not configured properly, it can be exploited by hackers to intercept or modify sensitive data. This type of incident requires immediate attention from software engineers to ensure that the SSL/TLS configuration is properly configured to prevent any potential security threats.


Inadequate SSL/TLS Configuration for Apache HTTP Server.

This incident type refers to a situation where the Apache server is under high load due to busy workers, which may result in slow or unresponsive websites. This can occur when the number of workers reaches the maximum limit or when a large number of requests are being processed simultaneously. This incident requires immediate attention to avoid any negative impact on the website's performance.


High Apache Workers Load

```shell
export APACHE_PORT="PLACEHOLDER"

export INTERFACE="PLACEHOLDER"

export IP_ADDRESS="PLACEHOLDER"

export PATH_TO_APACHE_CONF_FILE="PLACEHOLDER"

export MAX_CONNECTIONS_PER_IP="PLACEHOLDER"

```


### Check if Apache is running

```shell
systemctl status apache2
```

### Check Apache logs for any suspicious activity

```shell
tail -f /var/log/apache2/access.log
```

### Check active connections to the server

```shell
netstat -anp | grep ${APACHE_PORT}
```

### Check the number of connections per IP address

```shell
netstat -anp | grep ${APACHE_PORT} | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
```

### Check Apache server status for any suspicious activity

```shell
curl -I http://localhost/server-status
```

### Check Apache server configuration for any vulnerabilities

```shell
apache2ctl -t -D DUMP_MODULES
```

### Check for any active Slowloris attacks

```shell
tcpdump -i ${INTERFACE} 'tcp[20:2] == 0x4745'
```

### Block IPs with suspicious activity

```shell
iptables -A INPUT -s ${IP_ADDRESS} -j DROP
```


### Configure the Apache server to limit the number of connections from a single IP address.

```shell
bash

#!/bin/bash



# Apache configuration file path

APACHE_CONF_PATH="${PATH_TO_APACHE_CONF_FILE}"



# Maximum number of connections per IP address

MAX_CONNECTIONS_PER_IP="${MAX_CONNECTIONS_PER_IP}"



# Get the current value of the MaxClients directive

MAX_CLIENTS=$(grep -oP 'MaxClients \K[0-9]+' $APACHE_CONF_PATH)



# Calculate the new value of the MaxClients directive

NEW_MAX_CLIENTS=$(expr $MAX_CLIENTS \* $MAX_CONNECTIONS_PER_IP)



# Update the MaxClients directive in the Apache configuration file

sed -i "s/MaxClients $MAX_CLIENTS/MaxClients $NEW_MAX_CLIENTS/g" $APACHE_CONF_PATH



# Restart the Apache service

systemctl restart apache2


```

### Install a rate-limiting module on the server to prevent excessive requests from any single IP address.

```shell


#!/bin/bash



# Install the mod_evasive Apache module

sudo apt-get update

sudo apt-get install libapache2-mod-evasive



# Configure mod_evasive to limit requests from a single IP address

sudo tee /etc/apache2/mods-available/mod-evasive.conf > /dev/null ${<EOF

<IfModule mod_evasive20.c}

    DOSHashTableSize 3097

    DOSPageCount 10

    DOSSiteCount 50

    DOSPageInterval 1

    DOSSiteInterval 1

    DOSBlockingPeriod 10

    DOSEmailNotify admin@domain.com

    DOSSystemCommand "sudo /usr/bin/logger -t mod_evasive -p local6.info"

    DOSLogDir "/var/log/apache2/"

    DOSWhitelist 127.0.0.1

${_IFMODULE}

EOF



# Enable the mod_evasive module and restart Apache

sudo a2enmod evasive

sudo systemctl restart apache2.service


```


Slowloris Attack Detected on Apache server.

Overview

Parameters

Debug

Check if Apache is running

Check Apache logs for any suspicious activity

Check active connections to the server

Check the number of connections per IP address

Check Apache server status for any suspicious activity

Check Apache server configuration for any vulnerabilities

Check for any active Slowloris attacks

Block IPs with suspicious activity

Repair

Configure the Apache server to limit the number of connections from a single IP address.

Install a rate-limiting module on the server to prevent excessive requests from any single IP address.

Learn more

Related Runbooks

DoS Attack on Tomcat Server

Unauthorized Directory Access in Apache HTTPD.

Apache SQL Injection Attempts in URI Incident

Inadequate SSL/TLS Configuration for Apache HTTP Server.

Product

Resources

Support

Company