Bug 56751

Summary: Fails to properly mitigate Slow Post DoS attack
Product: Apache httpd-2 Reporter: zmaximz
Component: mod_reqtimeoutAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: NEW ---    
Severity: major    
Priority: P2    
Version: 2.5-HEAD   
Target Milestone: ---   
Hardware: PC   
OS: Linux   

Description zmaximz 2014-07-20 17:13:25 UTC 
DETAILS:

The recommended/default mod_reqtimeout configuration allows a remote attacker to consume all Apache connections while sending part of the post body in time intervals (AKA SlowPost attack) with a byte-rate greater than the configured MinRate (500 by default).

Example: Sending 10Kb of the body each 5 seconds will bypass recommended configuration.

References to recommended conf:
1. http://publib.boulder.ibm.com/httpserv/manual60/mod/mod_reqtimeout.html
2. http://docs.cpanel.net/twiki/bin/view/EasyApache/Apache/SlowlorisAttacks
3. http://blog.spiderlabs.com/2011/07/advanced-topic-of-the-week-mitigating-slow-http-dos-attacks.html#Mitigating Slow Request Attacks with Mod_Reqtimeout and ModSecurity

IMPACT:

Vulnerable are most of the Apache users who rely on the mod_reqtimeout module to mitigate the SlowPost DoS attack.

SOLUTION:
Add to the default configuration an upper bound (maxtimeout) for the "body" parameter.
Comment 1 Eric Covener 2014-07-20 18:30:57 UTC 
http://httpd.apache.org/docs/2.4/mod/mod_reqtimeout.html

The first and fourth examples in the manual use a maxtimeout on the body (if I'm understanding the syntax correctly). 

Net, if you want a maxtimeout, you have to configure one. 

Is it the manual you want updated? 
Or some default configuration? 
Or the way the module behaves if you load it and don't configure it at all?

Do you have an argument for a reasonable (doesn't break normal clients) and effective (actual benefit to a client that reconnects) body maxtimeout?
Comment 2 zmaximz 2014-07-20 20:26:31 UTC 
As I understand from the module's behavior, "timeout" refers to "time to first byte" of the header/body and "maxtimeout" refers to "time to last byte" of the header/body.

"type=timeout-maxtimeout,MinRate=data_rate" 

What I believe that is missing is the "maxtimeout" for the body:
RequestReadTimeout header=20-40,MinRate=500 body=20-40,MinRate=500

Instead of:
RequestReadTimeout header=20-40,MinRate=500 body=20,MinRate=500

The missing "maxtimeout" for the body makes the described attack effective.
I believe 40 seconds is a reasonable time for "maxtimeout".

I think editing the example might be the first step, so future mod_reqtimeout users won't be vulnerable.

Is there a common channel to inform all the distributions that ship with Apache httpd, so they could consider changing their default configuration?
Comment 3 Eric Covener 2014-07-20 21:43:37 UTC 
> I think editing the example might be the first step, so future
> mod_reqtimeout users won't be vulnerable.

Is what you're referring to as "the example" the text next to the word "Default" in the manual?  The default is not an example, it's what you get by default when you don't use the directive.  In other words, the compiled-in defaults for the module. Is that what you're lobbying for to be 40 seconds?

As I said before, there are plenty of examples that use a timeout for the body. But the user has to select one.

Please start a thread over on dev@httpd.apache.org if you want to discuss a change to the defaults in the 2.4 or 2.2 maintenance stream -- I am personally not in favor, but that is the proper place for discussion.

> Is there a common channel to inform all the distributions that ship with
> Apache httpd, so they could consider changing their default configuration?

Not really.