Hello,
I'm opening this to follow a discussion started here:
https://stackoverflow.com/questions/47734383/apache-mod-wsgi-slowloris-dos-protection/47735073?noredirect=1#comment82431384_47735073
Software used: mod_wsgi 3.5 with Apache 2.4 with mpm_prefork
Basically, there's an odd behavior when requests are slow on purpose
(slowloris attack), specially with a slow body. When a thread handles a
request like this, even if the script returns a response immediately
without reading the request body, the thread will block (won't process
further requests) until the whole request body is received. This is to be
expected as explained by Graham due to how proxying works.
However, looking at the server logs (see example below), the response seems
to be sent immediately rather than after the whole request is read, which
doesn't seem like the expected behavior. At this point, if this is really
happening, it should be possible for the mod_wsgi threat to start receiving
other requests and let the apache process complete the request reading by
it's own, although the request is junk at that point but needs to be read
in order to be able to receive a new request over the same connection.
-- Request started 00:36:51: Request is a slowloris attack, where the
headers are sent normally, but the request body is sent slowly, details as
follows:
slowhttptest version 1.6
test type: SLOW BODY
number of connections: 2
URL: https://some_url/adminx
verb: POST
Content-Length header value: 8192
follow up data max size: 22
interval between follow up data: 10 seconds
connections per seconds: 200
probe connection timeout: 25 seconds
test duration: 240 seconds
using proxy: no proxy
-- 1 second after (response is returned/logged instantly)
172.31.12.55 (some IP) - - [10/Dec/2017:00:36:52 +0000] "POST /adminx
HTTP/1.1" 500 527 "https://github.com/shekyan/slowhttptest/"; "User-Agent:
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like
GeckoAppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122
Safari/534.30"
-- ~ 1 minute after, request times out, probably from apache
RequestReadTimeout setting
[Sun Dec 10 00:37:55.035666 2017] [:error] [pid 7360] (70007)The timeout
specified has expired: [client 172.31.12.55:4122] mod_wsgi (pid=7360):
Unable to get bucket brigade for request., referer:
https://github.com/shekyan/slowhttptest/
Below is the wsgi.conf and mod_reqtimeout.conf settings:
-- wsgi.conf
LoadModule wsgi_module modules/mod_wsgi.so
WSGIPythonHome /opt/python/run/baselinenv
WSGISocketPrefix run/wsgi
WSGIRestrictEmbedded On
<VirtualHost *:80>
Alias /static/ /opt/python/current/app/static/
<Directory /opt/python/current/app/static/>
Order allow,deny
Allow from all
</Directory>
WSGIScriptAlias / /some_path/wsgi.py
<Directory /opt/python/current/app/>
Require all granted
</Directory>
WSGIDaemonProcess wsgi processes=1 threads=15 display-name=%{GROUP} \
python-path=/opt/python/current/app:/opt/python/run/venv/lib64/python2.7/
site-packages:/opt/python/run/venv/lib/python2.7/site-packages user=wsgi
group=wsgi \
home=/opt/python/current/app
WSGIProcessGroup wsgi
</VirtualHost>
LogFormat "%h (%{X-Forwarded-For}i) %l %u %t \"%r\" %>s %b \"%{Referer}i\"
\"%{User-Agent}i\"" combined
-- mod_reqtimeout.conf
<IfModule reqtimeout_module>
RequestReadTimeout header=62,MinRate=500 body=62,MinRate=500
</IfModule>
I can not provide the test code used, since it's actual real code. However,
it's just a regular Django view.
--
You received this message because you are subscribed to the Google Groups
"modwsgi" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at https://groups.google.com/group/modwsgi.
For more options, visit https://groups.google.com/d/optout.
