cPanel DDOS attack - Mitigate Slowloris Attacks - mod_qos

Apache mod_evasive

Mod_evasive is a module available for the Apache HTTP server that can automatically block attacks by rate-limiting any IP that sends too many requests in a short time.

Start by installing the module from WHM’s EasyApache 4 interface. Select the Currently Installed Packages profile, search for mod_evasive in the Apache Modules section, and then install it.

The default settings are good for most servers, but you can tweak them further by editing the configuration file /etc/apache2/conf.d/300-mod_evasive.conf. You can also whitelist specific IP addresses or classes, so legitimate requests are not blocked.

Configure CSF to block attacks

While mod_evasive works very well, it only protects the Apache webserver. In order to harden other services as well, you can install the free ConfigServer Security & Firewall (CSF), which also includes a WHM plugin.

As the root user, install CSF with these terminal commands:

cd /usr/src
rm -fv csf.tgz
wget https://download.configserver.com/csf.tgz
tar -xzf csf.tgz
cd csf && ./install.sh

The WHM plugin interface is found in Home >> Plugins >> ConfigServer & Firewall.

CSF is a very complex and powerful firewall, with many options. A detailed configuration walkthrough is outside of the scope of this article, but let’s see which CSF features can stop a DDoS attack.

Click on the csf tab and then scroll down and click on Firewall Configuration.

From the drop-down menu, select Connection Tracking.

The CT_LIMIT value sets a maximum limit of connections allowed from a single IP address, while CT_INTERVAL sets the number of seconds between scans.

There are many other settings that you can tweak here, for example CT_BLOCK_TIME controls the temporary ban duration (in seconds) for offending IPs.

Additional anti-DDoS mechanisms can be configured in the Port Scan Tracking section, such as Syn Flood Protection (a Layer 4 attack). You can also define custom rules for specific ports (check the CSF documentation for the correct syntax).

Why correct settings matter

Improper settings can cause legitimate users to be banned or cause significant server load or network latency. It is a good idea to start with the default values and adjust them as needed.

Please also keep in mind that even the best protected websites in the world can still be vulnerable to a well-orchestrated DDoS attack. However, the steps described in this article can offer decent protection to a WHM server and limit the damage done by normal attacks.

How to Mitigate Slowloris Attacks

The mod_reqtimeout module

This method uses the mod_reqtimeout Apache module to mitigate a Slowloris attack. We recommend this method.

To use this module, install it in the Apache Modules section of WHM’s EasyApache 4 interface (WHM >> Home >> Software >> EasyApache 4).

The Slowloris attack attempts to exhaust available server resources by opening a large number of connections to a target web server. Then, these connections are held open for as long as possible to prevent these resources from being freed. As there are a finite number of resources available to a web server, other clients will be unable to reach your server.

Procedure

From WHM, navigate to Service Configuration > Apache Configuration.

On the Apache Configuration page, select the Include editor.

In the Include Editor, select the Pre Main include for All Versions and add the following:

<IfModule mod_reqtimeout.c>
    RequestReadTimeout header=20-40,MinRate=500 body=20-40,MinRate=500
</IfModule>

This configuration will wait up to 20 seconds for header data. As long as the client sends header data at a rate of 500 bytes per second, the server will wait for up to 40 seconds for the headers to complete.

This configuration will also wait up to 20 seconds for body data. As long as the client sends header data at a rate of 500 bytes per second, the server will wait for up to 40 seconds for the body of the request to complete.

SINON

When you install this module, it creates the /etc/apache2/conf.modules.d/375_mod_reqtimeout.conf file with the following configuration:

1 2 3

# Enable mod_reqtimeout LoadModule reqtimeout_module modules/mod_reqtimeout.so RequestReadTimeout handshake=0 header=20-40,MinRate=500 body=20,MinRate=500

Resources

For more information on this attack, as well as additional ways to mitigate it, please see:

How to Mitigate Slowloris Attacks {cPanel Docs}

 

The mod_qos module

You can also use the mod_qos module to mitigate Slowloris attacks.

To use this module, install it in the Apache Modules section of WHM’s EasyApache 4 interface (WHM >> Home >> Software >> EasyApache 4).

Your /etc/apache2/conf.d/qos.conf file should resemble the following configuration to mitigate Slowloris attacks:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17

<IfModule qos_module> # handle connections from up to 100000 different IPs QS_ClientEntries 100000 # allow only 50 connections per IP QS_SrvMaxConnPerIP 50 # Some examples for mod qos show MaxClients/MaxRequestWorkers. Do not set those here, # instead set MaxRequestWorkers in WHM # disables keep-alive when 180 (70%) TCP connections are occupied QS_SrvMaxConnClose 180 # minimum request/response speed # (deny slow clients blocking the server, keeping connections open without requesting anything QS_SrvMinDataRate 150 1200 </IfModule>

This example configuration will enforce the following behavior:

• QS_ClientEntries — This setting handles connections from a maximum of 100,000 IP addresses.
• QS_SrvMaxConnPerIP — This setting limits each IP address to a maximum number of 50 connections.
• QS_SrvMaxConnClose — This setting disables the KeepAlive function when at least 180 connections exist.
• QS_SrvMinDataRate — This setting requires a minimum of 150 bytes per second per connection, and limits the connection to 1200 bytes per second when the server reaches the MaxRequestWorkers limit.

For more information, read the mod_qos documentation.