Hi all, In order to protect ourselves from a slowloris-type attack, we have configured the mod_reqtimeout module on our Apache 2.2.17 installation (running on Solaris, MPM compiled). The mod_reqtimeout is configured as follows:
RequestReadTimeout header=10-20,MinRate=500 body=10-20,MinRate=500 We are testing using the OWASP http_dos_cli tool and are still able to make the site unreachable in a couple of seconds. In the logs we do see that requests are being timed out and the connections closed at the correct moment, but the client is receiving a 200 status code instead of a 408. This difference keeps our mod_security rule set to gather timeout statistics and block further requests from this IP. Any idea on why mod_reqtimeout is returning 200 and not 408? The original discussion on the owasp-modsecurity-core-rule-set mailing list: https://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/2011-April/000722.html Thanks a bunch! GB
