Compile and configure mod_qos to prevent Slowloris DDOS on Apache 2 from Debian Lenny distribution

mod_qos is becoming a very popular module for Apache, from the discover of Slowloris DDoS Attack. It seems, mod_qos is the best solution for Slowloris attack on Apache 2, but you can also check mod_evasive, mod_security or http accelerator “Varnish”. In this post I will try to present a step by step tutorial how to install mod_qos and configure to prevent Slowloris DDoS attack.

This post is just a compendium of other good posts:

• How To Defend slowloris DDoS With mod_qos (Apache2 On Debian [Lenny])
• DDoS, Apache2 and mod_qos
• How to best defend against a “slowloris” DOS attack against an Apache web server?

First you should install dev packages to compile mod_qos

apt-get install apache2-threaded-dev libgnutls-dev libssl-dev gcc make

Now download the latest version of mod_qos from http://sourceforge.net/projects/mod-qos/


$ cd /usr/src
$ wget http://downloads.sourceforge.net/project/mod-qos/9.17/mod_qos-9.17.tar.gz?use_mirror=garr
$ tar -xzf mod_qos-9.17.tar.gz


Now you can build the module


$ cd mod_qos-9.17/apache2/
$ apxs2 -i -c mod_qos.c


You should see the module compiling and if is everything ok the last lines of compile output should be:

cp .libs/mod_qos.so /usr/lib/apache2/modules/mod_qos.so
cp .libs/mod_qos.lai /usr/lib/apache2/modules/mod_qos.la
PATH=”$PATH:/sbin” ldconfig -n /usr/lib/apache2/modules
———————————————————————-
Libraries have been installed in:
/usr/lib/apache2/modules

If you ever happen to want to link against installed libraries
in a given directory, LIBDIR, you must either use libtool, and
specify the full pathname of the library, or use the `-LLIBDIR’
flag during linking and do at least one of the following:
– add LIBDIR to the `LD_LIBRARY_PATH’ environment variable
during execution
– add LIBDIR to the `LD_RUN_PATH’ environment variable
during linking
– use the `-Wl,–rpath -Wl,LIBDIR’ linker flag
– have your system administrator add LIBDIR to `/etc/ld.so.conf’

See any operating system documentation about shared libraries for
more information, such as the ld(1) and ld.so(8) manual pages.
———————————————————————-
chmod 644 /usr/lib/apache2/modules/mod_qos.so

If you want to compile qslog just run the following commands:


$ cd /usr/src/mod_qos-9.17/tools
$ make
$ cp qslog /usr/local/bin/


Now you should configure mod_qos. In /etc/apache2/mods-available/ add 2 files:
1. qos.load with the following content:

LoadModule qos_module /usr/lib/apache2/modules/mod_qos.so


2. qos.conf with the following content:

## QoS Settings

# handles connections from up to 100000 different IPs
QS_ClientEntries 100000
# will allow only 50 connections per IP
QS_SrvMaxConnPerIP 50
# maximum number of active TCP connections is limited to 256
MaxClients 256
# disables keep-alive when 70% of the TCP connections are occupied:
QS_SrvMaxConnClose 180
# minimum request/response speed (deny slow clients blocking the server, ie. slowloris keeping connections open without requesting anything):
QS_SrvMinDataRate 150 1200
# and limit request header and body (carefull, that limits uploads and post requests too):
# LimitRequestFields 30
# QS_LimitRequestBody 102400



Now you should enable the module and restart Apache.

$ a2enmod qos
$ /etc/init.d/apache2 restart


Now you are ready.

To see the attacks from logs you can use qslogs:

$ cat /var/log/apache2/access.log | qslog -f ..IR.B.T -o /tmp/stat_log -p


Good luck!