I am being targeted by a slow loris attack for several weeks now (during the worst period of the year [black friday / cyber monday]).
This is an advanced DDoS attack where I get a lot of slow HTTP requests that generate 408 error codes in the server log ("-" 408 156 "-" "-"). There is thousands, maybe dozen of thousands or even hundred of thousands of different IP. I just don't understand how it is possible. Also I don't know why I am targeted, I have only a small website. One week ago, I thought that my host provider had some issues because suddenly the connection to the website was really slow, with a latency of 5 seconds, the day after it was 8-10 seconds, the day after 15 seconds; at this moment only I searched my entire logs and I have found hundred of thousands of 408 error code lines.
I have added mod_antiloris but it only rejects a same IP that creates 10/20+ connections, whereas the IP in the attack here are only creating 3-4 connections max.
Mod_reqtimeout is enabled with : RequestReadTimeout header=20-40,minrate=500 body=10,minrate=500 (I have a SSL certificate). It doesn't seem to do anything.
I have set apache2.conf Timeout from 300 to 60. I don't see any difference.
The only thing that mitigates the attack is increasing the number of MaxRequestWorkers in mpm_prefork.conf. However the attack just need to increase its capacities; and that's of course what is happening : slowly the number of low HTTP requests is increasing, trying to reach the limit of my server again.
I have tried to disable KeepAlive : no difference.
I have tried mod_qos but it requires mpm_worker to be enabled (instead of mpm_prefork). From what I understand mpm_worker generate php instabilities. Also, I have not yet tried mod_security that seems more complicated.
I have tried to put the website behind Cloudflare but the attack continues. It seems that the slow requests are sent directly on the server ip.
Some people on the Web say that a Nginx reverse proxy in front of Apache would work ?
